Cybersecurity for e-tailers is now a c-suite level issue with the number of data breaches reported to the ICO almost doubling in the last year. eCommerce has become a particular target for attacks due to the vast quantities and nature of data involved, such as card details and contact details. UK retailers including Cex, Sports Direct, Debenhams and British Airways have all been subject to some of the highest profile online data breaches in the last two years. Breaches in the US are just as prevalent with over 70 million Target customers having their personal information hacked.
Aside from the reputation issues and loss of consumer trust that face e-tailers who are the subject of a security breach, an out of the blue cyber-attack could also result in hefty fines if:
a) The security breach is not promptly notified to the regulator and/or data subject;
b) The organisation’s operational and technical security measures are found wanting by the regulator; and/or
c) The organisation does not keep appropriate records of the breach and what was done to address the breach.
The level of fines will substantially increase once the GDPR comes into force where fines for breach of an organisation’s security obligations can be anywhere up to €20 million or 4% of global turnover.
For this reason, it is vital that e-tailers start putting in place measures now to deal with potential cybersecurity threats in future. We set out a few tips to help below.
Putting in place data breach protocols
Under the GDPR, organisations will be subject to mandatory 72-hour reporting obligation in the event of a data breach unless the data breach is unlikely to involve a high risk to the rights and freedoms of a natural person. This can be difficult to ascertain at the time of discovery and where in doubt, organisations should report the actual or suspected breach to the regulator. The time frame of 72 hours from becoming aware is tight but organisations will be penalised for failing to promptly notify. Therefore, it is imperative that an organisation ensures that its data breach and reporting policies are implemented and/or updated to ensure there is a set procedure on what to do if a data breach happens and how to log it.
Where a data breach involves a high risk to the rights and freedoms of a natural person, the data subject may also need to be informed which means organisations should have a PR person on hand to assist it in those communications to minimise any further reputational damage.
Finally, it is not just notifications to the regulator and/or data subject that organisations need to worry about. All organisations should as a first step on becoming aware of an actual or suspected data breach notify the organisation’s relevant insurers of the breach. For that reason, we recommend that details of the insurers are included in any data breach protocol.
Know your data
One way to be prepared for, and importantly protect against, any data breach is for organisations to keep accurate data inventories. By knowing where data is kept and who has access to it, it is easier for organisations to protect such data. Knowing where data is and who has access to it will also make it easier to identify the source of any security breach as well as hopefully alert the organisation to a security breach in the first place. Such knowledge will also mean organisations are more likely to be on the front foot instead of the back foot in the event of a security breach which should hopefully minimise fines and further reputational damage. Just think of the reputational damage suffered by Yahoo when it discovered 1 billion accounts had been compromised three years after the event….
Keep your technical and organisational measures under constant review
Having appropriate technical and organisational measures in place to protect against unlawful processing of personal data is a requirement under existing data protection law. This requirement will be expanded under the GDPR which actually sets out examples of various measures that organisations may take such as encryption or pseudonymisation. However, it is not enough to simply put these measures in place. An organisation needs to keep these measures (whether physical or technical) under constant review and put in place policies and procedures to ensure any vulnerability in the measures is promptly identified and dealt with effectively. This may include carrying out regular software updates, having a robust governance regime in place with third party IT security providers and setting up regular internal security meetings with individuals of different levels of seniority within the organisation attending to ensure all security issues are uncovered and dealt with effectively.
Personnel Training
Statistics shows that a large proportion of cyber breaches arise from human factors such as inadequate training or human error. Organisations should therefore ensure that all personnel are made aware of, and receive appropriate training in respect of, the various security threats to data and the measures taken by the organisation to protect data against such threats. For example, all personnel should be trained to spot a phishing email. Personnel should also be trained on what to do in the event of a security breach as a security breach is likely to affect all areas of the business. Such training should also not be a one off – instead it should be carried out at regular intervals (in line with any updates to the security measures in place) to ensure that personnel do not become blasé.
Bryony Long is a senior associate at law firm, Lewis Silkin.