You know you have responsibilities under the Data Protection Act to protect the information you hold about your customers. But what about the information you hold on your payroll?
Morrisons recently revealed that the details of around 100,000 of its staff had been revealed online and sent to a national newspaper. The perpetrator, believed to be a member of Morrisons staff, demonstrated that when it comes to data security the enemy within can be just as ruthless as the online hacker. But what are your responsibilities as an employer?
As far as the Data Protection Act 1998 (DPA) is concerned, no distinction is made between staff and customer data. As an employer you’re responsible for both. That responsibility extends to ensuring you take appropriate measures to prevent unauthorised and unlawful processing, destruction, damage or loss.
The insider job
The DPA makes no mention of the source of any theft or unauthorised/unlawful access. In the Morrisons case, the circumstances in which the member of staff was able to steal the payroll data would fall just as squarely within the remit of the DPA as an external cyber-attack. What matters is the nature of the breach, not the person or organisation perpetrating it.
Breaches of data can result in formal action by the Information Commissioner, leading to penalties of up to £500,000. So what should you do to protect your business from attack, and if data does go missing, what can you do the put things right or mitigate the damage?
Planning for attack
Carry out a security review to assess your current level of preparedness and use the results to draw up a breach response plan. The plan should establish roles, responsibilities, the steps to be taken for containment and recovery and the communication of the breach to affected parties. Follow the example of the DPA and give equal priority to customer and payroll data (although the steps you take in respect of each may differ) and internal and external attacks.
If your payroll is managed externally, talk to your provider and review the measures in place to protect your payroll data. By way of example, ensure the data you share electronically is sent via a secure portal (we use docSAFE) rather than a standard email network.
Test your plans to destruction. If you don’t possess the in-house skills to assess your level of exposure or test your plan, ask a specialist IT security provider.
In the event of any breach, the Information Commissioner will want to know what measures you had in place, how robust they were, and whether you followed your plan. If the breach happens in spite of your measures rather than because of a failure of them, your financial and reputational position is likely to be significantly protected.
There is no PR ‘upside’ to a security breach. The best to be hoped for is that staff and/or customers give you the benefit of having acted swiftly and communicated clearly.
Following the recent attack on eBay, after which all 233m users were asked to change their passwords, the company revealed it had taken almost three months to spot the initial breach, and a further two weeks to communicate it. It’s difficult to gauge which failure has caused more public and political ire, but either way eBay’s reputation has been unquestionably damaged.
The eBay experience demonstrates the importance of communicating fast and communicating accurately. So whether the data theft comes from a disgruntled member of staff or a remote cyber-terrorist, make sure that in the event of a breach it’s the original perpetrator who remains the enemy.