The hack of 2.4m Carphone Warehouse customer records (including 90,000 credit card details) has received much coverage in the press. The Information Commissioner’s Office, the body that regulates compliance with the UK Data Protection Act, has said that is “making enquiries”. It would be inappropriate for me to comment on whether Carphone Warehouse could have been prevented this. That’s what their enquiries and those of the ICO will determine.
However, recognising that the ICO can levy fines of up to £500,000 (soon to be 2% of global turnover under the new EU law), I’ve been asked what other organisations should do to prevent this. Here’s a quick recap of the issues.
What should you do?
- organisations that process (control, store, use, etc) personal data in the EEA must comply with the 8 data protection principles. In particular, they must take “appropriate technical and organisational measures” to keep the data secure and prevent accidental loss
- Neither the DPA / European Data Directive nor the ICO specify what measures are “appropriate”. The ICO says this will depend upon the circumstances and will involve:
- carrying out an information risk assessment
- identify someone with responsibility for security
- train your staff
- ensure physical security such as doors and locks
- keep software up-to-date, use a firewall and anti-virus software, use strong passwords
- separate your data
- It is worth noting that the ICO doesn’t specifically say you must encrypt or tokenise data but has been critical where hardware has been lost or stolen and the data on it was not encrypted.
- Also, there is currently no legal requirement to notify of a breach. Clearly, notifying the ICO and the people whose data has been hacked is a sensible step to help reduce the risks from the hack
- Additionally, all companies that process, store or transmit credit card information should maintain a secure environment in accordance with the requirements of the Payment Card Industry Data Security Standard
Image courtesy of Stuart Miles at FreeDigitalPhotos.net