UK's Information Commissioner's Office Enters Corrective Action Agreement With Shoe Retailer For Data Breach

King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On January 19, 2015, the United Kingdom’s Information Commissioner’s Office (“ICO”) — an independent UK body created to uphold information rights — published a corrective action agreement with shoe retailer Office Holdings Ltd. stemming from a data breach. The agreement requires Office Holdings to take corrective actions to ensure that the company adequately protects its customers’ personal data after a data breach exposed the personal data of more than a million customers. Office Holdings is regulated as a “data controller” under the UK’s Data Protection Act 1998 and is required by that act to comply with various data protection principles.

In May 2014, the data breach was reported to ICO after a hacker accessed customer contact details and website passwords through an unencrypted database that had been scheduled to be decommissioned. The hacker was able to bypass technical measures the company implemented, and the incident went undetected. Office Holdings confirmed, however, that the database did not store customers’ bank information and, therefore, financial information was not compromised. ICO also said that there was no evidence that the accessed information had been further disclosed or used.

Pursuant to the corrective action agreement, ICO requires Office Holdings to implement the following measures:

  • ensure that all of its websites and servers are subject to regular penetration testing;
  • implement its new data protection policy documents to include a retention and disposal policy for customer data, the requirements of which should be monitored on an ongoing basis;
  • provide formal data protection training to all Office Holdings employees and introduce regular refresher training to reinforce this provision; and
  • implement such other security measures as are appropriate to ensure that personal data is protected against unauthorized and unlawful processing, accidental loss, destruction, and/or damage, and to ensure that any such information is only retained for as long as necessary in relation to the purposes of the processing.

The Office Holdings corrective action is available here.

Reporter, Juliet M. McBride, Houston, +1 713 276 7448, jmcbride@kslaw.com.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© King & Spalding

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide