Morrisons was just the latest in a line of high profile retailers to hit the headlines for the wrong reasons. The supermarket chain had suffered the theft of the bank account details of around 100,000 employees and the news spread fast. The supermarket’s immediate reaction was to reassure customers that the loss was exclusively of internal employee data and that no customer information had been compromised. Not surprising, given the of strength of customer reaction when US high street retailers Target and Neiman Marcus were hit earlier this year following the news that customers’ credit card details had fallen into the wrong hands.
Other major brands should take heed. Semafone carried out a survey of 2000 adults earlier this month to ascertain the UK public’s attitude to the loss of their data by brands. The research revealed that 86% of people (91% of women and 81% of men) would be unlikely to do business with an organisation that had suffered a security breach involving credit or debit card data.
Now a further threat is in store for those who do not secure customer data. The European Parliament has approved a draft data protection law, which, when it becomes final, will mean that companies can be fined 5% of their global turnover in the event of a serious data breach. The law could be in place as soon as 2016 in the UK.
The law will also include the “right to be forgotten”, which will give citizens the right to request that their personal data be deleted from companies’ computer systems, and will require organisations to gain explicit consent from people before processing their data. It will become mandatory for data protection safeguards to be built in to any new products and services.
In the case of the loss or theft of customer data, the new law means that not only will offending companies suffer the financial repercussions of a fine, but they will also be exposed to the reputational damage caused by a breach becoming public – having to inform local data protection authorities of the breach within 24 hours.
So if you’re reading this and are worried that your own customers’ credit card information might be at risk, get in touch with a Qualified Security Assessor and make sure that you are complying with the Payment Card Industry Data Security Standard (PCI DSS). It probably won’t cost as much as you think, and it certainly won’t cost as much as losing your customers’ card details.