A data breach involving potential unauthorised access to customers’ personal data can have disastrous consequences for companies. In recent times, a number of large corporations such as British Airways and Ticketmaster have suffered data breaches which have resulted in both companies being fined by the Information Commissioner.
Most recently, the UK e-commerce clothing and accessories retailer FatFace suffered a security incident which it says it first became aware of on 17 January 2021. The personal data compromised due to the breach potentially includes full names, addresses, email addresses, and card details (including the last four digits and expiry date) of its customers and employees.
The UK GDPR requires controllers to notify the ICO of a personal data breach without undue delay and, where practicable, not later than 72 hours after having become aware of it – except where the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the data breach is likely to result in a high risk to the rights and freedoms of data subjects, controllers must notify affected individuals without undue delay.
Given the sensitivity of the personal data types affected by the breach, it is surprising that FatFace waited two months before notifying affected customers. The company has also been heavily criticised for marking the notification emails to affected customers “strictly private and confidential”. A move interpreted by some as an attempt to hide the breach.
The company itself claims the delay was due to a “thorough” investigation to identify what systems and data had been accessed. Although the regulations permit a controller that has suffered a security incident a short period of time to investigate to determine whether a breach has occurred, the two months taken by FatFace before notifying its customers appears difficult to justify.
This incident is another example that adds to the growing list of incidents where it can be argued that the company did not have a clear data breach management plan.
Preventing Future Breaches
Companies should have a personal data breach plan so they can respond to any personal data breach quickly and effectively to minimise any adverse consequences of the breach. For FatFace, the legal, financial and reputational ramifications of (perhaps) not having a data breach plan will soon become clear.
However, companies wishing to avoid or at least minimise the likelihood of future breaches should consider the following:
- mandatory data protection induction and refresher training for staff
- implementing and regularly updating policies and procedures
- implementing technical and organisational measures
- investigating the root causes of all breaches (even incidents where no data is accessed)
- restricting employees’ access to systems
- auditing systems regularly
Taking just these few simple steps could make the difference between being a compliant company or one that is on the Information Commissioner’s radar.
If we can assist you with the development of your data breach management plan or with any other data privacy issue, please get in touch by clicking on the link here.