Sometimes there is a certain sympathy when a company is fined for an action which others had been considering. Managing risk is an essential skill in email marketing and when a company, even a competitor, falls just the wrong side of the line the first thought that goes through most people’s mind is relief that it wasn’t them.
Other times, the actions of a company are bewilderingly unprofessional and the publicity could hurt us all. You feel that the punishment was both earned and justified.
This can be true even when a fine is £175,000.
A travel insurance company had more than 100,000 live credit card details and medical records of customers. Its database was hacked and the credit cards of over 5000 customers were used by the criminals. Hacking of records is a nightmare for any company, but for those of us in email marketing, with our dependence on data, the concern is two-fold: that it might happen to us and that it might happen to another company in the same line of business and we’d be suspect by association.
The investigation by the Information Commissioner’s Office (ICO) found a number of procedures worthy of comment and, given the level of fine, of punishment.
The CVV (security) numbers were also retained by the company. This is contrary to the guidelines of the Payment Card Industry Security Standards Council, for obvious reasons. This is more than just a slip.
Also, the company had no internal systems in place to update software and to review its data protection procedures regularly. This is directly contrary to the seventh principle of the Data Protection Act (DPA).
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Further details here: See https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
Complying with the fundamentals of the DPA is basic self protection. Further, it would appear that the company had failed to update their software on two occasions, leaving security gaps that could be exploited for five years.
The ICO said that the hacking could have been avoided if the software had been updated. Given the sophistication of hackers, you might think this is a hope rather than a fact. However, the company had no defence.
The ICO stated: "It's unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company's actions were unacceptable and this penalty notice reflects the severity of the situation."
It is essential that you:
1/ Ensure that the your security systems can keep your data safe from hacking;
2/ Make it clear to everyone in your company who has responsibility for data security;
3/ Have well trained staff who should be supported by robust policies and procedures; and
4/ Should the worst happen, you should have policies in place to respond quickly and effectively.
Payment procedures and the data on email marketing lists make anyone engaged in email marketing a target for hackers. If they succeed we all suffer due to lack of confidence in our business systems. What on first glance seemed a draconian punishment turned out to be well earned.