Data breaches. It seems like there is another one being reported in the news every week. However, despite the number of leaked records in June amounting to 145,942,680, the nation appears to be interested in what will happen next. What steps will the ICO (Information Commissioner’s Office) take to ensure organisations comply with the recently enforced GDPR (General Data Protection Regulation)? Will non-complying organisations be fined? How will customers, suppliers and partners react to organisations that suffer a breach?
Only time will tell – and we may not have to wait long – but in the meantime, what is the impact of data breaches in the retail industry, and what needs to be done to mitigate them?
As we are said to be a ‘nation of shopkeepers’ (decide for yourself whether to interpret this as Adam Smith intended in his The Wealth of Nations, or as Napoleon’s alleged compliment ‘une nation de boutiquiers’), it is worth reflecting on some of the high-profile, retail-specific data breaches reported in recent months:
- The Dixons Carphone data breach originally reported that details of 1.2 million customers had been compromised, but is now known to have affected 10 million customers.
- Customers of the Adidas.com website may have been affected by a breach after an unauthorised party gained access to customer data. The data included contact information, usernames and encrypted passwords.
- World-famous retailer Fortnum & Mason suffered a data breach, affecting 23,000 of its customers, through a Typeform service used to collect votes for one of the categories in its food and drink awards.
- Fashion Nexus – a web development e-commerce company that works closely with a number of retailers – suffered a breach when the personal information of approximately 1.3 million users was compromised.
- Ticketmaster notified users of its UK site that their personal information may have been accessed by an unauthorised third party. It is understood that payment information was also compromised for the 40,000 people affected.
Looking more broadly than the retail sector for a moment, the ICO reports that there were a total of 957 data security incidents during the first quarter of 2018 (a 17% increase on Q3) and the World Economic Forum believes that cyber attacks are one of the top five risks to global stability in the next five years, so we all need to take heed.
This short video breaks down the numbers relating to the UK-specific cyber attacks and data breaches of 2017.
What is the cost of a data breach?
Breaches of personal data and payment information are becoming increasingly frequent, with cyber criminals using a variety of sophisticated techniques to drive their activities. From phishing, vishing and smishing to acquiring consumers’ identification details, or full-blown criminal hacking, the flow of fresh news stories detailing the latest attacks clearly demonstrate the scale of this growing issue. Indeed, such are the risks of data breaches that they are no longer viewed as IT issues, but organisational issues that can derail day-to-day operations and have long-term reputational impact.
So, what are the real business costs of a data breach? According to the 2018 Cost of a Data Breach Study by Ponemon Institute, the average cost of a data breach is $3.86 million, which is a 6.4% increase on the 2017 cost of $3.62 million.
The factors that affect the calculated cost of a data breach include:
- The unexpected loss of customers following a data breach;
- The size of the breach or the number of records lost or stolen;
- The time it takes to identify and contain a data breach;
- Effective management of detection and escalation costs; and
- Effective management of post data breach costs.
What can you do to protect yourself and your customers?
The harsh reality is that no organisation can ever deem itself completely safe and at zero risk of a data breach. However, what you can – and should – do is take a critical look at your infrastructure, processes, systems and controls, and ensure that you have taken steps to address risks and know what to do if you suffer a breach.
There is a wealth of information available that directly addresses breach readiness, but there are two sets of demanding requirements especially applicable to the 294,000 retailers we have in the UK: the PCI DSS (Payment Card Industry Data Security Standard) and the GDPR.
Unveiled in 2004, the PCI DSS is the result of a collaboration between the major credit card brands (American Express, Discover, JCB, Mastercard and Visa). It was created to encourage and enhance cardholder data security, and facilitate the broad adoption of consistent data security measures globally.
As a general rule, any merchant or service provider that stores, processes or transmits cardholder data is required to comply with the Standard. Organisations that fail to comply are likely to get less beneficial commercial terms (and may even be refused service); those that suffer a breach as a result of non-compliance may face significant fines.
As payment card data is considered personal data under the GDPR, the ICO has the power to fine UK organisations for serious breaches of the laws governing the protection of personal data.
The PCI challenge
Despite the prospect of fines and other penalties, many retailers are still not PCI-compliant. There are numerous reasons for this, ranging from a lack of awareness or interest (especially in smaller outlets and independents) to inadequate scoping of the cardholder data environment and underestimating the technical complexity of the Standard. And then there’s the general strain caused by having to comply with a broad range of other standards, laws and regulations.
Accepting all of these challenges, we believe that organisations are best off not viewing the PCI DSS as a compliance burden, but to use it as originally intended – an information security baseline that provides the organisation with an opportunity to reduce risk. Focusing on snapshot efforts is neither sustainable nor cost-effective, and will work against your organisation in the long run.
The Standard is technically complex to implement, but it is based on common information security practices. There are 6 major security goals with 12 areas of focus:
Build and maintain a secure network and systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data cross open, public networks
Maintain a vulnerability management programme
5. Protect all systems against malware and regularly update antivirus software or programmes
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Regularly test security systems and processes
We also offer a special PCI DSS support contract for small businesses, which equips you with PCI policies and procedures, staff training resources, and expert online consultancy support and advice at an affordable price. Full details can be found online.
In effect since 25 May 2018, the GDPR is significant and wide-reaching in scope, expanding the rights of individuals and placing a range of stricter obligations on organisations to be more accountable for data protection.
As people are discovering, GDPR compliance is about far more than ticking boxes – the Regulation demands that you be able to demonstrate compliance with its data processing principles. This involves ensuring appropriate policies and procedures are in place to deal with the transparency, accountability and individuals’ rights provisions, and building an in-house culture of data privacy and security.
In many cases, achieving GDPR compliance will likely be a year-long process, if not longer. For that reason, it’s worth tackling the areas where a lack of action leaves your organisation instantly exposed. Where an infringement occurs, demonstrating that you have made a start could help reduce the impact on your organisation. From there you can build the framework and implement the changes as they’re formalised.
Although the GDPR can seem like just another thing to do, there are business benefits. For instance, it can help you build more trusting customer and supplier relationships, maintain or even improve your brand image and reputation and, in some instances, give you a competitive advantage.
This video talks about the business benefits of the GDPR. Watch to see how much you stand to gain.
Our GDPR information page guides you through the requirements and provides the information you need to plan your next steps. Or, for more detailed guidance about the GDPR and what you need to do, why not join some of our webinars?
A new bundle specifically designed for SMEs has been launched. The EU GDPR Pathway bundle is a comprehensive selection of resources, collated to allow you to confidently tackle the GDPR’s requirements and get on the pathway to compliance. Comprising e-learning courses, Live Online consultancy and a privacy notice template, this bundle will ensure you’re able to move forwards and protect your customers, partners and yourself. There is also a 15% saving on the RRP of the individual components.
Contact us now for bespoke advice, or a tailored quote for any of our services or solutions. Every journey starts with a single step, and our team is here to help you on every step of your journey.