The latest cyber attack on eBay and subsequent fall-out has left many businesses trying to understand what their obligations are in terms of securing customer data and the steps they can take to protect from such an attack. However, finding the answer to this question is not easy for any business.
Firstly, we do not currently know how the eBay attacks were carried out. We know that an eBay customer database was accessed and the majority of records (estimated at a staggering 145 million) were copied between late February and early March. It is not clear if, having copied such records, the hackers have successfully cracked the encryption and consequently accessed the actually customer records. However, given enough time these encryptions can be broken and we will not know if or when this data is extracted.
So what can we learn from recent high profile security breaches and what can businesses do to prevent this from happening to their customer data? Set out below are four steps that should be considered by every business that holds customer data.
Understand exactly what data your business holds, where it is and who has access to it.
Ensure that you have a clear understanding of your business’ obligations in respect of customer data. A good start can be made by looking at the following:
Data Protection Act (DPA) and the Information Commissioner’s Office (ICO) – The DPA sets out eight principles of good information handling The ICO is the UK’s data security regulator. The ICO make available a wealth of publications on their website which provides help and guidance as to a business’ obligations in respect of protecting it’s customer’s data. For example in December 2013 the ICO published specific guidance for developers in respect of privacy in mobile applications (Privacy in mobile apps: guidance for app developers).
Regulatory body requirements – It is also important to understand the requirements of any industry specific body that applies to your business. For example, the Financial Conduct Authority (the body responsible for regulating the financial services industry) has published specific guidance on responsibilities relating to customer data security (FCA factsheet: Your responsibilities for customer data security). If your business processes payment card transactions it is likely to have obligations imposed by the Payment Card Industry Security Standards Council (PCI SSC).
ISO27001 – is an internationally recognised standard for information security management systems. Whilst it may not be viable for your business to achieve ISO27001 certification many businesses chose to implement the standard for best practice purposes.
Get help from the right people (either by employing experts or by use of an external advisor) to develop an information security policy that considers the points identified in steps 1 and 2. Ensure that the policy encompasses the end-to-end security of customer data. This should include: personnel checks; password administration; encryption methods; physical security; and third party provider due diligence. Once these systems and controls are in place they should be notified to all personnel and regularly reviewed. Any breaches (whether resulting in a data leak or not) should be investigated and preventative controls considered and implemented.
Finally, if there is one lesson every business should take away from the recent customer data security breaches that have hit the headlines it is that a quick and thorough response to a breach is imperative. One of the biggest criticisms of eBay was its slow and confused response. Messages were posted on its website then taken down, emails contained mixed instructions and the actual process for changing passwords is overly complex and not user friendly. Consequently, an integral part of any information security policy should be what happens when a breach occurs and the steps that need to be taken in the immediate aftermath.
The amount of advice and wealth of guidance available can be daunting and it is often hard to establish what is relevant to your business. Engaging the right people to provide legally sound and commercially practical solutions to information security is imperative.
See also: Five top tips to protect customer data