Tag: data

DSG Retail Fine - Lessons to Learn

DSG Retail Fine: Lessons to Learn

The ICO’s decision to issue DSG Retail Ltd with the maximum penalty possible highlights how seriously they take data security and what factors influence their decisions.

The ICO’s decision to issue a £500,000 penalty notice against DSG Retail Ltd, under the old data protection act should serve as a warning shot across the bows of the industry. DSG, meanwhile, should be heaving a sigh of relief that the breach happened just before GDPR came into force.

What happened?

The scale of the fine comes thanks to a litany of errors which on their own could have constituted a breach, but taken together amounted to a serious and multifaceted breach of the data protection act.

It started in May 2017 when an assessment of DSG’s point of sale payment terminals across their stores in Curry’s PC World and Dixons Travel found that they were not compliant with PCI DSS standards. Even so, DSG were slow to make changes.

Almost a year later, they discovered that the payment terminals had been compromised. Over the course of night months, a cyber attacker had taken control of a number of domain administrator accounts and installed malware onto the POS system. This accessed payment card details of around 5.6 million customers, although an investigation later found that only a total of 85 cards had been potentially used fraudulently.

The fraudsters had also accessed non financial data belonging to about 14 million customers including credit checks, contact details and failed credit checks. The company was inundated with nearly 3,300 customer complaints about the breach and the regulator received 158 complaints.

  • The ICO’s investigations listed numerous systemic failures including
  • Lack of firewall on the POS terminals
  • Inadequate patching of software
  • A poor response system
  • Insufficient network segregation
  • Mismanagement of the application white listing

These amounted to multiple breaches of the Data Protection Act, but a number of aggravating factors made this even worse. The firm were already aware of the vulnerabilities but failed to take action quickly enough. They took a whole nine months to identify the breach and that Carphone Warehouse which belongs to the same group as DSG had previously been fined £400,000 for the same breach.

The regulator also took into account the volume of the data and the resources that the retailer should have had at their disposal. The scale of the operation and the nature of the breach had the potential to cause significant distress to customers.

Moreover as a major retailer, handling large quantities of sensitive customer data, DSG, should have been able to lead by example. They had plenty of resources at their disposal and should have been able to offer better protection to their customers.

The only mitigating factor is that DSG had taken steps to notify its customers and cooperated with investigators. Even so the regulator deemed the maximum penalty appropriate.

Lessons to be learned

The scale of this fine, should serve as a warning about how serious the ICO is taking data security. Had the breach occurred under GDPR the fine could have potentially been in the millions. It shows the factors the regulator takes into account when deciding including the volume of the data exposed, the nature of the breach, resources of the firm and how the company responded to known breaches.

It’s a reminder for businesses to maintain and proactively monitor their security systems and any deficiencies should be fixed as soon as possible. Cyber crime is becoming so widespread that if a company does identify a weakness, there’s a very good chance an attack will come sooner or later. While firms might be reluctant to spend the time and money fixing issues, if they don’t they run a high risk of finding themselves before the ISO and, with GDPR in full swing, the consequences could be catastrophic.

FCA Plans to Share More Data - Waymark Tech Blog

FCA Plans to Share More Data

The FCA has admitted it could share more of its information to help the financial sector understand what bad conduct looks like.

Debbie Gupta, director of Life Insurance and Financial Advice at the FCA told the personal finance Society’s annual conference that the FCA sat in a unique position of being able to see, first hand, what bad conduct looked like.

“From our point of view, yes we are doing lots of work on rooting out bad practice, but I also think one of the things the regulator is privileged to see, in a slightly roundabout way, is what bad practice looks like.”

The FCA has chosen to take action on an advice market which it says is, too often, letting customers down. The area concerning the regulator most is defined benefits.

According to a survey from the regulator, advice in this sector is all too often ‘still not of an acceptable standard.’

The regulatory started out by asking advice firms with defined benefit transfer permissions to return data about their activities before following up with site visits. It quickly raised concerns when it found that 60% of firms providing transfer advice have recommended 75% or more of its clients to transfer.

It recently sent out letters to 1,600 companies about their advice surrounding transfers, more than half of the 2,500 advice firms working in the sector. The companies contacted have been given two months to make changes and get their houses in order.

Gupta says the regulator is seeing evidence every day where firms are failing to provide significant advice to clients. This data, can prove useful in creating a picture of what bad culture looks like.

The move feeds into their ongoing aim to reduce non compliance by improving general culture. As we’ve covered in the past it is already focusing on a company’s conduct as an indicator of potential non-compliance and it now appears to believe that this data can offer learnings to the wider sector about what bad culture looks like and how it can be avoided.

It’s a similar principle to the Enforcd Regulatory Database. By compiling details of enforcement actions taken across the financial sector it is possible to build a picture of where companies are going wrong and what they could have done to avoid problems in the first place. (If you would like more information on access to the Enforcd Regulatory Database please get in touch here.)

A look at the cases on the database shows common problems cropping up in terms of incentives, data management and governance. The FCA does indeed have a privileged position which can help to shine a light on the key warning signs of non-compliance.

However, it can also share details of good culture, giving firms a positive template on which to work. By doing so, it can give firms a guide including plenty of DOs, as well as the DON’Ts.

Employee Investigations: Managing Data

Employee Investigations: Managing Data

Much has been written about the importance of managing client data in the era of GDPR. However, many firms may be overlooking a vital issue when it comes to their own internal investigations.

The rules surrounding data privacy have become much more complicated in the last few years. GDPR, plus a number of other international regulations, create fresh regulatory issues some of which firms may not be aware of.

At the same time data is growing in volume and complexity. Keeping a handle on it all is becoming increasingly complex. The use of cloud storage brings issues of cross border data transactions, third party problems and multiple jurisdictions which can be difficult to manage.

Employee consent

Data processing is an extremely wide ranging term under GDPR and, as we’ve written elsewhere, the penalties for getting it wrong can be quite extensive. Employee data must be treated just as carefully as client data, which means people must have given fully informed consent for all the ways in which data will be used. Even when consent has been obtained, it can’t always be relied upon for investigations.

At the same time firms must keep employees informed about what data they store, how it may be shared and with whom. As in all walks of life, employees are increasingly aware of their data rights and may well enforce them during an investigation.

How should you respond?

It’s a difficult tightrope to walk and there’s a fair chance many companies are unwittingly leaving themselves open to non compliance.

So, what lessons can be learned?

First, investigations teams must have a clear idea of the boundaries, what data they can analyse and how it can be used. They should put in place clear policies in place which ensure investigators understand how they can use data, and that only data which is relevant for the purposes of that investigation is used.

When working across multiple jurisdictions it may be necessary to obtain legal advice. GDPR has set the template for other regulators, but each takes their own individual spin on the concept. For example, China’s data privacy regulations, although closely modeled on GDPR, adopts a much looser approach to the idea of consent. Understanding which data belongs in which jurisdiction and making sure all applicable regulations are being complied with, is complicated and challenging.

Consent must be managed.

A firm must have a reasonable basis of holding any data and inform all employees about how their data will be used and their rights. If an investigation is carried out they will need to be handed notices informing them about the way in which their data will be used.

This is extremely important. Individuals have become much more informed about GDPR and how it applies to them, and may use that power as part of any investigation. Authorities are also showing themselves to be increasingly willing to go further in applying the details of GDPR for employees.

Companies should take time to look again at their policies, to ensure they are achieving the same level of compliance for employees as they already have for clients. You can find out more about what’s required in an excellent insight article by Dispute Resolution Lawyer David Harris on our Global Regulatory Database.

Powered by WordPress & Theme by Anders Norén