On January 19, 2015, the United Kingdom’s Information Commissioner’s Office (“ICO”) — an independent UK body created to uphold information rights — published a corrective action agreement with shoe retailer Office Holdings Ltd. stemming from a data breach. The agreement requires Office Holdings to take corrective actions to ensure that the company adequately protects its customers’ personal data after a data breach exposed the personal data of more than a million customers. Office Holdings is regulated as a “data controller” under the UK’s Data Protection Act 1998 and is required by that act to comply with various data protection principles.
In May 2014, the data breach was reported to ICO after a hacker accessed customer contact details and website passwords through an unencrypted database that had been scheduled to be decommissioned. The hacker was able to bypass technical measures the company implemented, and the incident went undetected. Office Holdings confirmed, however, that the database did not store customers’ bank information and, therefore, financial information was not compromised. ICO also said that there was no evidence that the accessed information had been further disclosed or used.
Pursuant to the corrective action agreement, ICO requires Office Holdings to implement the following measures:
-
ensure that all of its websites and servers are subject to regular penetration testing;
-
implement its new data protection policy documents to include a retention and disposal policy for customer data, the requirements of which should be monitored on an ongoing basis;
-
provide formal data protection training to all Office Holdings employees and introduce regular refresher training to reinforce this provision; and
-
implement such other security measures as are appropriate to ensure that personal data is protected against unauthorized and unlawful processing, accidental loss, destruction, and/or damage, and to ensure that any such information is only retained for as long as necessary in relation to the purposes of the processing.
The Office Holdings corrective action is available here.
Reporter, Juliet M. McBride, Houston, +1 713 276 7448, jmcbride@kslaw.com.