Businesses need to take the prevention of data leakage and theft more seriously in order to protect its customers

Just recently, T-mobile received a huge wakeup call, and will most likely receive a hefty penalty fine, for losing customer’s personal data which was stolen by a number of employees. As a result its reputation has been damaged and customers may have been lost.

According to Ponemon Institute, six out of every ten employees stole company data when they left their job last year. With modern technology, portable storage devices such as USB memory sticks can hold large amounts of valuable and confidential information which can then be used for financial gain.

Contact numbers, payment card details, home addresses and passwords could be stored on customer relationship management software and telephones which can then be downloaded by an employee who is about to leave the company.

These types of internal breach can have an explosive impact on the company concerned. The subsequent investigation into how customer data was mishandled, lost or stolen by an employee or ex-employee often highlights serious shortcomings in existing security procedures, thereby presenting the aggrieved company as partly culpable or, at best, negligent.

Under the Data Protection Act 1998, all companies handling personal or confidential data, such as customer addresses, bank account numbers or internal account information, must ensure the security of electronic data.

Failure to do so could result in a hefty fine or even a jail sentence for not only directors of the company but also its employees and may impact on customer loyalty, corporate reputation and competitive advantage.

It is perhaps the fear of being identified as having failed to meet the requirements of the Data Protection Act 1998 and the consequential impact on its reputation that companies hesitate at reporting security incidents. It may be a surprise to many that a data protection issue can lead to criminal conviction, but in 2002 80 such convictions were made. Offences range from failing to notifying the Commissioner of processing, the selling of personal data without the appropriate consents, and breaching an enforcement notice.

If a data breach has occurred, it is better to ensure steps are taken to place the criminal before the judgment of the court. Not only does this demonstrate a ‘zero tolerance’ towards cybercrime, but it could also act as a deterrent, thus reducing the possibility of a future security breach of
this kind.

One of the simplest ways to reduce the risk of internal data leakage is to limit the number of employees who have access to such data in the first place. This will have the added effect of making any data leaks more easily traceable and also ensure that those who do have access to data are aware of the responsibility that comes with such access. Another way in which a company can ensure that any businesses that may handle their customer’s data are made aware of the importance of this data is to require that a non-disclosure agreement is signed before the data is disclosed.

The first step for any business is to seek legal counsel from those with legal expertise within the IT Security area to ensure that all areas of compliance are met by appropriate security solutions and policies. It is also recommended that all staff are annually trained on security procedures and policies, so that issues such as downloading information on to portable storage devices and how to keep that data secure are considered of great importance. Even if a data breach does occur, businesses will then be better protected against the severity of the breach, any potential backlash and better prepared to respond in an informed way to any negative publicity or disinformation which may arise.

By Phil Thompson, partner at technology and corporate law firm, White & Black Legal.

With over five years’ experience advising clients with technology based businesses in both corporate and commercial matters, Thompson has developed considerable expertise in assisting clients to effectively regulate their business affairs. He specialises in venture capital funding, brand protection and complex commercial contracts.