Effective data security: The time to act is now

The recent hacking of the customer details of 2.4 million customers of Carphone Warehouse provides a stark reminder of the risks of data breaches and the importance of effective data security.

Hackers accessed the names, dates of birth and bank details of Carphone Warehouse’s customers. 90,000 customer credit cards may also have been accessed, albeit this information was thankfully encrypted. Such an attack increases the risk of identity theft for each of the customers affected. In late 2014, having suffered a similar breach, TalkTalk failed to warn its customers promptly leaving them ill-prepared to deal with subsequent fraudulent phone calls from individuals quoting their account numbers and other personal data. In this case, Carphone Warehouse took the responsible step of swiftly contacting affected customers so they could change their passwords, contact their bank and credit card companies and remain vigilant to fraudulent calls in good time.

The impact on Carphone Warehouse cannot be underestimated. If the Information Commissioner’s Office (ICO) finds that Carphone Warehouse has breached the data security requirements of the Data Protection Act 1998, it may take enforcement action, including the imposition of a fine.  Although currently limited to £500,000, discussions are taking place within the European Union about whether to increase this fine limit to 5% of a company’s annual turnover (although this is unlikely to affect Carphone Warehouse as its retroactive application is improbable). Separately, affected customers may choose to sue. Most importantly, such an event will have disrupted Carphone Warehouse’s business and undermined the confidence of existing and future customers. This incident will also have caused shareholder concern as it will inevitably leave a dent in the phone company’s future profits.

Data security breaches are not just caused by external attacks upon a business. In the 2015 Information Security Breaches Survey, half of all organisations stated that the worst breaches were caused by inadvertent human error. Reviewing the fines that the ICO has imposed in the past for data security breaches, it is clear that a significant number relate to the inadvertent loss of portable devices.

It is impossible for any business to guarantee the security of the customer data it holds and the Data Protection Act does not require such a guarantee to be provided. However, the legislation does require “appropriate technical and organisational measures” to be taken against unauthorised access or accidental loss. The Money Shop was recently fined £180,000 by the ICO after one server was stolen and another lost in transit. The fine was imposed because the Money Shop failed to take the “appropriate measures” of ensuring that the personal data on its servers was encrypted and they were locked away at night. 

What is appropriate for one business will be unsuitable for another.  However, the following ten point guide provides a solid starting point for reasonably safeguarding the data held by your business:

1. Conduct (or refresh) a risk assessment and design your security systems with reference to the data you hold and the harm that may result from a security breach. Bank details must always be treated with specific care;
2. Make data security a board level responsibility. Identify individuals responsible for designing and implementing appropriate measures;
3. Put in place appropriate technical security measures to protect your electronic systems and ensure they remain up to date. This will include firewalls, malware protection, encryption, passwords, managing user privileges and constant monitoring;
4. Put in place appropriate physical security measures. This will include controlling access to equipment on the premises, maintaining control over mobile and home working, and securely disposing of soft and hard copy material, as well as equipment;
5. Design and implement robust policies and procedures with respect to data handling;
6. Ensure that every individual in the business is trained on these policies and procedures – and this training is regularly updated. Build a culture of security awareness in your business;
7. Ensure that any third parties which process data on your behalf are also subject to appropriate security measures (and confirm this in your contract). Consider the arrangements you have in place with data which is stored or processed in the cloud;
8. Reduce the risks by minimising the data you hold. Securely delete or archive customer data from your computer systems which is no longer needed;
9. Be ready to identify and respond quickly and effectively to data security breaches. Delay will only increase potential damage to your customers and your business;
10. Maintain a record of data security risks and breaches. Review this regularly and amend your security measures accordingly.

​This article was first published in Real Business 20.08.15

If you need legal advice in relation to data security or information law, please contact a member of our Data Protection Team.