Tuesday, 27 May 2014

Ebay's data hack: what will the authorities do?

Ebay's data hack: what will the authorities do?

EBay has been the victim of what has been described as the 'biggest cyber-attack in history' with 233 million customers worldwide potentially being affected. Although customers' passwords remain safely encrypted, personal information including names, addresses and dates of birth have been hacked.


In the wake of this news, it has been confirmed that the Information Commissioner is working with European data authorities to take action against EBay, alongside the various investigations already underway in the US.


To help discover the implications of all this, we put some questions to legal expert Emily Carter, a partner at law firm Kingsley Napley LLP.


Tech Radar Pro: What is the Information Commissioner's Office's remit?


Emily Carter: The Information Commissioner's Office is the UK's independent authority tasked with upholding information rights in the public interest. It provides guidance on the application of the law relating to data protection and freedom of information and voluntary audits of information handling by organisations.


Where the requirements of those laws are breached, it will handle complaints and take any necessary enforcement action.


TRP: In what circumstances can the Information Commissioner's Office take action against a global internet business such as EBay?


EC: Christopher Graham, the Information Commissioner, confirmed on Friday that it must co-ordinate with other jurisdictions when considering a global internet company like EBay. The US Federal Trade Commission will launch an investigation because EBay is an American company.


Within Europe, the Luxembourg data protection authority will take the lead as EBay's European headquarters are in Luxembourg. However, given there are reportedly up to 14 million active UK customers affected, the Information Commissioner's Office could still take action here.


TRP: What does data protection law require companies such as EBay to do in order to protect against hacking?


EC: The seventh data protection principle requires companies to have in place "Appropriate technical and organisational measures" to guard against hacking and other unauthorised or unlawful processing of personal data. Whether security is appropriate will depend on the nature of the information in question and the harm that might result from its improper use.


Given the size and resources of a company like EBay, and considering the vast amounts of personal data within its possession, I would expect that the Information Commissioner may very quickly conclude that the only "appropriate" approach to security would be to maintain the very best and most update to data security systems available.


TRP: What sanctions are available to the Information Commissioner if Ebay has breached data protection law?


EC: The Information Commissioner is able to issue fines of up to £500,000. In a similar case last year, Sony was fined £250,000 by the Information Commisioner for not maintaining up to date security software leading to the hacking of personal data of millions of customers, which in this case included passwords and card details.


TRP: What duty does EBay have to inform customers of a problem in a timely fashion?


EC: There is currently no statutory duty upon those holding and processing personal data to inform either the Information Commissioner or the individuals affected if a security breach takes place. However, guidance issued by the Information Commisioner's Office states that in cases of serious data breach, the organisation should contact his office.


A breach will be considered serious where there is potential detriment to individuals. In this case, it appears that neither the Information Commissioner nor customers were informed for up to two weeks after the security breach was identified.


TRP: What is the potential impact of EBay's reported delay in alerting the data authorities and customers of a security breach?


EC: This is an issue which the Information Commissioner's Office can take into account when determining the appropriate level of financial penalty for the company.


In practical terms for customers, although it is possible for EBay customers to now change their passwords, this may do little to prevent identity theft given it is understood that customers' names, addresses and dates of birth are already in the hands of the hackers responsible.


TRP: What recourse do EBay customers have for individual compensation?


EC: Individuals whose personal data has been stolen can make a claim under section 13 of the Data Protection Act 1998 for financial compensation from EBay where they have suffered damage or distress due to a breach of data protection requirements.


Although it is a defence for EBay to demonstrate that it "had taken such care as in all the circumstances was reasonably required" to keep the personal data of individuals safe, if the Information Commissioner makes a finding that EBay has breached the seventh data protection principle, it will be difficult for it to rely on this defence in responding to individual claims for compensation.


TRP: What lessons should other businesses learn from EBay's predicament?


EC: Any organisation which holds personal data needs to ensure that the security measures in place to protect this data are "appropriate." Given that hackers keep pace, and sometimes outpace, the development of latest security measures, software security needs to be reviewed and updated regularly.


Alongside technological solutions, every organisation should ensure they have policies in place, train their staff and secure physical access to information systems, including encrypting all portable devices. The consequences of failing to take appropriate security measures are serious. If the threat of a maximum £500,000 fine is not incentive enough, there is the added cost of compensation claims.


Most importantly, for any retail business reliant upon its customers providing personal data to operate, the public's loss of confidence in a company's security may cause unquantifiable loss in terms of business revenue.




http://ift.tt/1ioNtNh

No comments:

Post a Comment