There is a saying which goes along the lines of: if you get the basics right, the rest will follow. I’m not sure that’s entirely right but the reverse is spot on. You can’t do anything without the fundamentals in place.
A large travel insurance company has recently been heavily fined for contravention of the Data Protection Act (DPA). At first sight you might think that £175,000 was a bit over the top, but make up your mind once you know what they did.
They had personal records of over three million customers. It had the credit card details of around 100,000 of those. Criminals hacked their database and used the card details of 5000 people fraudulently.
You might think that the hackers will always get through regardless of what you can do but this is not necessarily so. Robust systems can give a great deal of security. The company was not fined for what the hackers did but what they did not do.
The Information Commissioner’s Office (ICO) discovered that they had not updated their security systems for some five years, ignoring two major software updates. Further, there were no systems in place to regularly review its security procedures.
One thing the company did do was to keep the CVV (security) numbers in contravention of the Payment Card Industry Security Standards Council guidelines.
There are eight Principle of the DPA: the seventh states:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
It would appear that the company failed in this most basic of requirements.
From a selfish point of view, such slack management has a knock-on effect on any company that has, for instance, an email marketing list or which keeps credit card details of customers. Trust is vital in our line of business and to have it betrayed in this way is far from helpful.
There are many ways to reassure your customers that you take your responsibilities seriously. For instance, boxes on websites stating your systems are always up to date, informing subscribers of their rights on sign-up, but these are passive and not always read. The best way is to conform to the basics of the DPA.