Protecting Customer Data : Don’t just leave it to the system.

In February, we issued a post about an individual who had taken customer information from a former employer with her to a new employer and contacted them with the hope of generating sales.

Most people with an understanding of the importance of protecting people’s personal data would recognise that this was unacceptable. The Information Commissioner’s Office (ICO) certainly did and they fined her under section 55 of the 1988 Data Protection Act (DPA) for unlawfully obtaining personal data.

This week the ICO reported a fine for a Company under the same section of the Data Protection Act, but in this case the circumstances were somewhat different. You might even feel some sympathy for the company in comparison to the person reported under our February post.

The organisation found to be failing in its duty to protect customer data was Construction Materials Online Ltd (CMO) and it operated a website selling construction materials.

As with most on-line retailers, customers could order products and enter their payment details on CMO’s website. The information was then encrypted and sent to an external payment processing system. The website and encryption systems were developed by a third party but, unfortunately, there was an error in the coding which meant the encrypted data was vulnerable to attack. The system was hacked and unencrypted cardholder information was obtained for 669 customers (which included names, addresses, account numbers and security codes).

The ICO investigated and found that CMO did not have appropriate technical measures in place against the unauthorised or unlawful processing of personal data, contrary to the principles set out in the DPA. CMO was, as a result, fined £55,000.

If you operate online and hold or manage personal information, it’s key to implement regular system auditing to ensure such data hacks are prevented. It’s easy to rely on third parties or systems when you’re busy focussing on the day job, but fines at that level would be disastrous for many small businesses.

For more advice on how to ensure your business follows current Data Protection rules and regulations, why not get in touch with Paratus Law?