Following Ticketmaster’s recent announcement it was the latest high profile business to suffer a major personal data breach, we look to the lessons that can be learned by other companies and organisations handling large volumes of personal data.
On 27 June 2018, Ticketmaster informed potentially affected customers that malicious software had been identified on a customer support product hosted by a third-party supplier. The result was the security of personal data, including names, addresses and payment details of up to 40,000 UK customers had been compromised.
Ticketmaster is merely the latest, and drives home the message organisations need to ensure they are fully equipped to deal with personal data breaches, if, and likely when, they happen. Shepherd and Wedderburn is currently working with a number of clients in this area to ensure they are in a position to manage such data breaches when they arise.
Any business holding personal information should be aware of their data breach reporting obligations under data protection legislation. The Data Protection Act 2018 requires organisations to report notifiable information security breaches involving personal data to the Information Commissioner’s Office (ICO) without undue delay and, where feasible, no later than 72 hours after being made aware of the breach. They will also be required to inform affected data subjects, without undue delay, where the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms.
A failure to notify the ICO of a breach when you are required to do so, under Article 83(4) of the General Data Protection Regulation, can result in a fine of up to €10 million euros or two per cent of global turnover – whichever figure is the higher. More serious infringements, covered under Article 83(5), carry fines of up to €20 million euros or 4% of global turnover – whichever figure is the higher.
As a business you should have in place a comprehensive data breach-reporting process to ensure you can detect and report a notifiable personal data breach on time and all staff are aware of internal procedures for handling suspected and actual data breaches.
Whilst failure to report a personal data breach may result in fine by ICO, it is important to realise that a failure to manage that breach properly may also result in reputational damage. What is key here is having a plan in place which sets out the steps that your organisation can take in the event of a data breach to mitigate any reputational damage.
This could include the preparation of press releases and email communications to potentially affected customers, and considering how you might quickly set up a dedicated website or helpline. You may also wish to explore the options available to you to demonstrate to your customers that you have gone above and beyond, and that you are serious about protecting their personal data.
Should you have any queries surrounding your obligations under data protection legislation, please get in touch with Ashley McLean, Joanna Boag-Thomson, Paul Carlyle or your usual Shepherd and Wedderburn contact.