Given the volume of data companies tend to hold nowadays, including customers’ personal data, the risk of a data breach incident is a huge concern. These incidents pose a serious risk for identity theft, corporate reputation and monetary damage.
The risk is compounded by the rapid rise of the Internet of Things ("IoT") and the corresponding increase in the volumes of Big Data held by companies (click here to read our previous article). It is as of yet unclear how effective IoT devices will be in keeping customer data secure, e.g. can a worn fitness tracker adequately protect the customer’s personal health and wellbeing data from being intercepted?
It is clear that data breaches are a serious threat, as has been demonstrated by several high-profile breaches in 2015. Some examples include:
- VTech, a Hong Kong-based firm that produces electronic devices for children, was targeted by a hack that exposed the private data of 6.5 million children and 5 million parents, including photographs, chat logs and internal databases.
- In one of the most high-profile breaches of the year, the infidelity dating website Ashley Madison lost personal data of 37 million users, which was subsequently published online, exposing the sites users.
- Telecom operator TalkTalk lost the data of 157,000 customers following a 'significant and sustained' cyber-attack, including the bank account numbers and sort codes of 16,000 customers. TalkTalk’s CEO, revealed that the estimated one-off costs of this data breach to the organisation were between GBP 30 – 35 million.
Given the potential impact, it is important that an organisation that risks being the victim of a data breach works with an experienced legal and technology team in order to implement effective preventative solutions.
E-discovery can play a valuable role here, assisting companies in quickly and effectively assessing the volume and type of data held. It would also be able to tell the source of the information and where it was held, and appropriately categorise into information types (e.g. sensitive and personal, or generic and non-confidential).
Legal experts would then be able to analyse this information to provide a detailed risk assessment to the company, identifying the truly ‘sensitive information’ from a data protection perspective and advising on any particular steps that should be taken to mitigate the risk of data breaches, and any subsequent claims.
We are hosting a breakfast seminar in London on Wednesday 10 February to provide an overview of the legal aspects of being prepared for a cyber-attack, and in particular the 'next steps' plans of action following a security incident. For more information or to register your interest, click here.
If you would like any more information or would like to discuss how we can help you, please contact: John Mackenzie, Guy Harvey or Nicola Perry.