The story earlier this week about the Information Commissioner’s (ICO) investigation into concerns over the security of user passwords for the tesco.com website is a timely reminder that information security is an evolving area, and one that organisations need to keep under constant review.
The Data Protection Act (DPA) states that:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
In determining what measures are appropriate, organisations have to ensure that the level of security is appropriate to the level of harm that might arise from unauthorised access or disclosure and the nature of the data in question.
So, the greater the potential damage to users, the greater the level of protection should be. Importantly, the organisation also has to have regard to technological development.
This means that information security measures need to be kept under constant review as technology (and the cost of that technology to the organisation) evolves. In this case, the question appears to be whether or not Tesco is following industry best practice, and whether its current approach to password security is sufficient, given the technological developments that allow for a more secure way of storing and providing access to passwords.
However, the story also a reminder that information security is now about more than just legal compliance. It’s also about brand reputation.
Whether or not Tesco’s website falls short of the requirements of the DPA will be a matter for the ICO to come to a view on.
Yet, the very fact that the ICO is investigating the information security procedures of one of the UK’s largest retailers is enough to make front page news. There hasn’t actually been a security breach in relation to the Tesco website, but the possibility that Tesco’s site is may be more vulnerable than others is sufficient for it be reported by the media.
e-Commerce is a notoriously brand fickle industry, with websites being in fashion one minute and not the next. An information security leak can be highly damaging to the brand. For that reason, organisations that trade online should ensure that information security is kept constantly under review, and that they respond to technological developments that help to keep the data of their users secure.
So what should you be doing? In practice, this means ensuring that your internal policies are kept under review and that someone is responsible for information security compliance.
Where you rely upon external suppliers, it’s essential that information security is properly addressed in your software development and hosting contracts through reference to appropriate standards. It’s also important that you are able to audit and review the information security of your websites and systems and ensure that the measures in place continue to be fit for purpose, and mandate that changes can be made where vulnerabilities are identified.
On August 23, 2012