Comment: Guidance on using encryption in cyber security plans

The last few years have seen an endless catalogue of high profile information security disasters and all indications from those monitoring the levels of attacks on critical IT systems is this is only going to increase. Retailers have suffered their share of these and online defences have been the subject of media scrutiny. 

Encryption is an area retailers need to review. Retailers in the UK have been guided principally by the data security standards set by the Payment Card Industry Trade Association when deciding how and when to use encryption on their websites and back office systems. The PCI Data Security Standard (‘DSS’) is stringent and any retailer which offers online shopping will need to comply with these to satisfy the terms on which payment service providers make their facilities available. Encryption is a specific requirement under the PCI DSS and requires retailers to protect stored data (using encryption) and to encrypt transmission of card holder data and sensitive information across public networks. So whilst in practice a retailer would not be able to trade online taking card payments if it was not following PCI data security standards, what are the legal requirements to use encryption?

The Data Protection Act does not specify the use of encryption but requires data controllers to use appropriate measures to keep the personal data they hold secure in Principle seven of the DPA, which states:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

It is obvious that where data is not appropriately secured, loss or unauthorised access is much more likely to occur and according to the Information Commissioner’s Office (‘ICO’), a significant number of the monetary penalties issued in the past five years relate to the failure to use encryption correctly as a technical security measure. This can mean fines of up to £500,000 which will rise to €20 million or even higher – being a percentage of worldwide turnover – from 2018 under the European General Data Protection Regulation.

The ICO released new encryption guidance in March 2016. Guidance is not just restricted to the online environment but recommends businesses consider encryption as a security measure alongside a range of other technical and organisational efforts. 

When data is in transit during online activities, encryption will provide protection in relation to payments for the reasons we looked at above. SSL or TLS services ensure the customer is visiting an https:// website area when that customer logs into an account or places an order. However, other online touch points with a customer occur where the connection is made available over an unencrypted http:// website page. For example, booking an appointment in store may require submission of name, email address and a mobile number as a minimum and if this is the same data made available via a non-encrypted method as that which forms part of an order placed via an SSL enabled page on the website, it is opening a door to an attack. Retailers also create risks by allowing users to remain logged in to a website if they navigate from an https:// page to an http:// page which would give an attacker access to a user’s session cookie. To reduce complexity and minimise the risks associated with moving from one environment to another, the ICO suggests that a business should consider using SSL throughout its entire domain.

So where else might a retailer be vulnerable and require encryption of data besides its online activity? Encryption extends beyond online and retailers should adopt a cyber security strategy across the whole business. Data storage is another area where encrypting data, particularly in a fast moving consumer goods environment where staff may be working remotely, for example on a laptop, mobile or USB, will provide effective protection against unauthorised access. Other practical measures which should be adopted include:

• Making sure the software used is fully up to date as this will protect against unauthorised attack.

• Having data use policies which staff understand and work to covering issues such as the importance of keeping passwords private, using mobile devices in public places and the greater risks in sending information by email.

With the risk of significant damage to reputation if a retailer does not store personal data securely, we anticipate a greater use of encryption over the coming years. This should be done as part of an on-going review of information security requirements which all businesses should be doing in preparation for the forthcoming changes in data protection law under the European General Data Protection Regulation. 

Kim Walker is a partner at Thomas Eggar (which recently merged with Irwin Mitchell).

For more information, click below:

Thomas Eggar