IP, Technology & Data

The story earlier this week about the Information Commissioner’s (ICO) investigation into concerns over the security of user passwords for the tesco.com website is a timely reminder that information security is an evolving area, and one that organisations need to keep under constant review.

The law
The Data Protection Act (DPA) states that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

In determining what measures are appropriate, organisations have to ensure that the level of security is appropriate to the level of harm that might arise from unauthorised access or disclosure and the nature of the data in question.

So, the greater the potential damage to users, the greater the level of protection should be. Importantly, the organisation also has to have regard to technological development.

This means that information security measures need to be kept under constant review as technology (and the cost of that technology to the organisation) evolves. In this case, the question appears to be whether or not Tesco is following industry best practice, and whether its current approach to password security is sufficient, given the technological developments that allow for a more secure way of storing and providing access to passwords.

Brand reputation
However, the story also a reminder that information security is now about more than just legal compliance. It’s also about brand reputation.

Whether or not Tesco’s website falls short of the requirements of the DPA will be a matter for the ICO to come to a view on.

Yet, the very fact that the ICO is investigating the information security procedures of one of the UK’s largest retailers is enough to make front page news. There hasn’t actually been a security breach in relation to the Tesco website, but the possibility that Tesco’s site is may be more vulnerable than others is sufficient for it be reported by the media.

e-Commerce is a notoriously brand fickle industry, with websites being in fashion one minute and not the next. An information security leak can be highly damaging to the brand. For that reason, organisations that trade online should ensure that information security is kept constantly under review, and that they respond to technological developments that help to keep the data of their users secure.

Practical steps
So what should you be doing? In practice, this means ensuring that your internal policies are kept under review and that someone is responsible for information security compliance.

Where you rely upon external suppliers, it’s essential that information security is properly addressed in your software development and hosting contracts through reference to appropriate standards. It’s also important that you are able to audit and review the information security of your websites and systems and ensure that the measures in place continue to be fit for purpose, and mandate that changes can be made where vulnerabilities are identified.

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me