Douglas McLachlan
- Partner
Nearly every day we read about another high-profile business, government body or charity that’s suffered a data breach.
Many were caused by cyber-attacks. Some of these criminal organisations have even set up 24-hour helplines to explain how to pay the ransom!
Last year, retail giant JD Sports was hit by a cyber-attack affecting almost two years’ worth of customer data. The company said that nearly 10 million of their customers might have been at risk of their data being exposed, including names, billing addresses, and phone numbers.
Large retail businesses like JD Sports are a common target for cyber-attacks because of the vast amounts of information they hold.
The 2021 attack on the UK Electoral Commission demonstrated that this issue is affecting us all. The intruders remained undetected in the Electoral Commission’s computer systems for some time. It was likely caused by hostile Nation State actors, affected millions of UK registered voters and the intention may have been to interfere in the UK democratic process.
And then there are –(usually accidental) personal data breaches.
And then there are –(usually accidental) personal data breaches.
The MoD was fined £350,000 by the Information Commissioner for a personal data breach where an official sent an email disclosing 253 email addresses of Afghans who were being evacuated after the Fall of Kabul. The email used “To” rather than “BCC”. This simple mistake risked lives. Although few personal data breaches carry such serious consequences, everyone can sympathise with the over-pressured official making this simple (and usually harmless ) slip up.
However, it may be inevitable that we’ll continue to see more and more of these massive cyber and data breaches, but that doesn’t mean it should be your businesses’ data.
Senior leadership must prioritise data security. Some organisations must, by law, have a Data Protection Officer (DPO) appointed at Board level to oversee data security and compliance. For others, it’s just good practice. Think what could have been avoided if the MoD’s system asked the sender to double check the send list, or didn’t allow so many emails to be sent together.
As with JD Sports, retail businesses are not immune from this either and should take steps now to prepare for when (not if) they suffer a data breach.
Data breaches don’t always involve technology. 75% of incidents reported in the UK in Q4 of 2022 were non-cyber. In fact, 19% related to emails being sent to the wrong person, while others were as simple as a briefcase being left on a train. It is important that employees are trained to identify a data breach and shouldn’t fear reporting them.
Ideally, you need a rapid response team, with the DPO leading in assessing and responding to data breaches, following a pre-prepared “playbook” and knowing which specialists to call in if one happens. With the number of reported cyber incidents is rising, AI will supercharge phishing attacks, which is where fraudsters try to gain private information or clicks on unsafe links by sending ever more convincing emails.
Fortunately, there’s a burgeoning cyber security ecosystem in Scotland.
Tech firms like Quorum Cyber and ID Cyber Solutions provide expert technical, training or forensic resources to help identify and protect against threats or upskill your staff and systems. Glasgow based Acumen Cyber also has a Security Operations Centre to monitor and protect clients’ systems. Insurance brokers Lockton advise on Cyber Insurance and PR gurus like Clark Communications are able to help clients deal with reputational fallout.
And (of course) there’s the Data & Technology Team at Anderson Strathern. We are a member of the Cyber & Fraud Centre Scotland’s small panel of approved law firms with the expertise to help retail businesses respond to a cyber or data breach as quickly and painlessly as possible.
However, we would far prefer to help you prevent one happening in the first place.
If you have questions on any of the issues raised above, Douglas McLachlan leads Anderson Strathern’s Data & Technology team and has been certified by The Law Society of Scotland as a specialist in cyber security. Douglas is more than happy to discuss how best to create a cyber and data security plan for your retail business.
You may also be interested in the following articles and events: