We all have to trust companies with our personal data in order to function in modern society meaning that vast amounts of personal data are held and processed by companies throughout the UK every day. Consequently, the impact of a data leak on a company's reputation and business can be crippling. The recent spate of reported data breaches appears to be taking its toll on public confidence in companies' ability to protect their personal data. A survey undertaken by Intercede has shown that even 'Millennials', those aged 16 - 35, appear to be losing confidence in companies to ensure their online security.
So how did these data breaches happen and what can companies do to prevent them?
Precautions and processes
In 2014, Money Shop was reported as having lost two computer servers containing the personal details of several thousand customers, past and present. Details included full customer records, including contact details, dates of birth, bank account and payment card details. The two servers were lost on separate occasions: the first was stolen from a locked and alarmed office with active CCTV monitoring, and the second was lost in transit by a courier company. The data contained on the servers were not sufficiently encrypted and neither server has been recovered. On 6 August 2015, the Information Commissioner issued Money Shop with a penalty of £180,000 for serious breaches of the Data Protection Act 1998.
Any data controller (a company or person who collects, holds or processes personal data) is required by law to have appropriate technical and organisational procedures and practices in place to prevent "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". By taking simple precautions, such as ensuring that personal data is encrypted when stored, that data is physically held in secure premises, and that personal data is only entrusted to third parties in exceptional circumstances, such devastating losses can, in most cases be avoided.
Educating employees about the importance of keeping personal data secure is paramount. If staff are given clear guidance as to the company's policies and practices, incidents such as the lamentable disclosure of the names and email addresses of 780 patients of the 56 Dean Street clinic of the Chelsea and Westminster Hospital NHS Trust might have been avoided. In that case, a member of staff "pasted the email addresses in the CC bit of the box rather than the blind CC bit" when sending out the monthly newsletter by email to users of its HIV patient service. This is a basic error which easily could have been avoided. It may well have been simple human error, but keeping issues such as this in the forefront of people's minds helps to ensure that there is constant awareness of the potential repercussions when insufficient care is taken.
Limiting the number of people who have access to the personal data processed by a company is an effective way to reduce the risk posed by disgruntled employees or contractors. Minimising the data set that can be accessed and ensuring that only a small number of essential personnel have access to records could help prevent the type of data breach suffered in July 2015 by Ashley Madison, the internet dating site which promoted infidelity. The company's CEO was confident that information and documents had been stolen by someone who had "legitimate access" to their systems. The exposure of sensitive data of around millions of users was made public last month, which has resulted in at least two class actions being filed against the company.
For any company holding personal data, ensuring the company's network and systems are secure and as up to date as possible is critical. As so much of our personal data is held by companies, individuals whose data is stolen are at a significant risk of being the victims of fraudulent activity. Only last month, Carphone Warehouse was reported to have suffered a "sophisticated cyber-attack" in which the personal data of up to 2.4 million customers (including many users of affiliated companies) may have been accessed. The information that may have been accessed included contact details, dates of birth and bank details. Companies need to be aware of the changing environment we live in and the potential points of exposure as a result of technical developments, including the use of the Cloud, employees using their own devices to work remotely (see here for more information) and the increased use of social media.
These issues are not going to go away, but being aware of the risks and taking action to protect personal data is a step in the right direction.