The risks of holding data
Over the last few years we have all become very used to businesses using new and innovative ways to collect and store information about us.
They use our personal details, our buying behaviours, our purchasing history, our financial status to build a profile around us. Businesses hold, transfer and utilise vast amounts of personal data on a daily basis and to a large extent that is a positive shift, allowing us to interact quickly with trusted suppliers without constantly re-providing information. It also enables us to sift through the almost infinite amount of information in the public domain to find things that truly interest us. But as Spiderman says “With great power comes great responsibility” the more third party data that companies hold, the greater risk in the event of a cyber breach.
If your business is one which collects and stores any kind of staff, customer or prospect data then you will no doubt be aware of the introduction of the new General Data Protection Regulations (GDPR) which will apply from May 2018. The regulations have not been finalised yet, but details of what is expected can be found on the Information Commissioners Office (ICO) Website ico.org.uk
What you may not be aware of is that the first data leak class action appeared in UK courts recently. High Street giant Morrisons were found liable for the actions of a former member of staff who stole the data of thousands of employees and posted it online.
Workers brought a claim against the company after an employee stole the data, including salary and bank details, of nearly 100,000 staff. The High Court ruling now allows those affected to claim compensation for the “upset and distress” caused. Morrisons said it believed it should not have been held responsible and would be appealing against the decision.
The case follows a security breach in 2014 when the employee, then a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of employees. He posted the information - including names, addresses, bank account details and salaries - online and sent it to newspapers. Lawyers said the data theft meant 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss. They stated that the company was responsible for breaches of privacy, confidence and data protection laws. At the High Court hearing sitting in Leeds, the judge, Mr Justice Langstaff, ruled that Morrisons was vicariously liable, adding that primary liability had not been established.
Morrisons have incurred more than £2m in costs responding to the misuse. It is a sobering thought.
In addition to this, the ICO has issued two fines for breaches of data security in the last quarter of 2017; they fined London Borough of Islington £70,000 for a failure to keep up to 89,000 people’s information secure on its parking ticket system website and Talk Talk Telecom Group Plc received a fine of £100,000 after it failed to look after its customers data.**
What can I do?
This all sounds scary but there are ways to manage and control your risk;
• Visit the ICO website to keep abreast of developments to the incoming GDP regulations, download their guide to GDPR
• Consider undertaking an IT risk assessment of your business to identify any vulnerabilities
• Speak to us about the different types of Cyber Insurance that are available, we can work with you to create a blend of covers to suit your specific requirements, it may not be as expensive as you think
We all have a part to play in beating cyber criminals by remaining alert and compliant and being aware of our responsibilities when handling precious data that has been entrusted to us.