How to prevent a customer data breach

It’s not a question of if your customer data will be hacked, it’s a question of when, so it pays to prepare for that now, says Carl Selby

As hospitality businesses continue to implement new and innovative ways to engage with customers, using the rich personal data they hold to improve the customer experience, the threat of data breaches increases. As the saying goes: with great power comes great responsibility.

Personal data breaches are now headline news, especially in the hospitality sector. In 2020, Marriott was fined £18.4m for a data breach where threat actors had access to 339 million customer records over an extended period. Last year, cyber criminals sent emails purporting to come from Booking.com demanding fraudulent payments, and a ransomware attack at MGM Resorts will cost the business an estimated $100m (£78m).

The volume of customers, the nature of the information held on digital systems (in particular payment information), large workforces, businesses that operate with relatively open physical environments and a reputation for lax security combine to make the hospitality sector a prime target.

Data breaches are inevitable; it is very much a case of when, not if, they will occur. However good your systems and processes, human error and criminals who are one step ahead of security providers mean there will always be risk of a breach. There is no way to prevent all breaches, only steps businesses can take to reduce the risk of a significant data breach and mitigate its impact when it happens.

What is a data breach?

A data breach is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. The definition is wide. To give a few examples, all of the following are data breaches:

• customer records being accessed by a hacker;
• ransomware infecting your systems, which prevents access to customer records; and
• sending an email or post containing personal data to the wrong recipient/address.

Minimising the risk

If you have to report a breach (or someone complains) the Information Commissioner’s Office (ICO) will assess your data protection processes. The ICO appreciates that data breaches will happen, but they do expect businesses to demonstrate that they have taken adequate steps to comply with their data protection obligations, such as:

• Keep a record of the processing activities you carry out (often called a data map), recording the personal data you collect, how it is processed and the lawful basis on which you process it.
• Tell customers and staff how you process their personal data and keep the information you give them up to date. Usually this is done in a privacy notice.
• Implement, follow and regularly update your policies.
• Train your staff regularly on their data protection obligations and what to do if a breach (however minor) happens.
• Consider getting cyber insurance that covers the cost of responding to a breach as well as the potential fines and other losses.
• Implement appropriate technical and organisational measures to safeguard personal data. Simple steps, such as using strong passwords and multi-factor authentication; having appropriate and properly configured firewalls and cybersecurity software; keeping (and testing) back-ups; encrypting data at rest and in transit; access controls to limit who can access personal data; and patching systems with the latest security updates promptly, can go a long way.
• Complete due diligence on third parties who process personal data for you and make sure your contract with them has appropriate data processing clauses.
• If personal data is being exported to another country, put in place appropriate safeguards.
• Keep a log of all data breaches, however minor, and the steps you have taken in relation to each breach.
• Have a plan to respond to a data breach from both a legal and public relations point of view. If a breach is notifiable, you have 72 hours to report it to the ICO; working out what to do will waste valuable time. Test the plan by simulating a breach to identify areas that can be improved.

Why is this so important?

• A data breach could mean you are unable to run your business until the issues are resolved, potentially giving rise to losses and cash flow issues.
• Will customers trust you with their personal data if you have a poor record on data security?
• Data subjects can bring direct claims for data breaches. There are now claims management companies seeking compensation for breaches.
• The ICO can impose fines of up to £17.5m or 4% of worldwide turnover, whichever is higher, if a data controller is in default of its data protection obligations. Given the risks, taking specialist advice to prepare for a data breach will help significantly reduce the consequences of a breach when it happens. Proper preparation really does prevent poor performance (and penalties).

Carl Selby is a partner and head of the tech group at law firm RWK Goodman

Photo: Christina @ wocintechchat.com/unsplash