Talk Talk handles data for its huge customer base on a daily basis. Like all businesses, they have a legal responsibility to ensure that this data is kept secure and up to date. However, the telecommunications company were recently dealt the biggest fine in the history of the Information Commissioner's Office when they were ordered to pay a £400,000 fine for losing customer data.
Last October, a breach of Talk Talk’s website resulted in the theft of data from 157,000 customers and in some cases, this included credit card numbers and sort codes.
But Talk Talk aren’t alone in these data breaches, and undoubtedly, there are lessons that businesses should be learning from breaches by any organisation. We have a responsibility to protect sensitive information and rely on trust to build strong customer relationships. So here are 5 data protection lessons to learn from these breaches:
Scrutinize Your Policies & Procedures
If large companies are able to identify a potential weakness in their system beforehand, there may be no data breaches at all. Businesses should take note of this and implement regular checks and evaluations of their data protection procedures. Technology evolves quickly, so your organisation needs to regularly review how you handle data, what data you hold and who is responsible for it, amongst other things.
Large organisations often fail to properly scan for threats in their systems and so don’t even know that the vulnerable web pages that were the focus of the attack existed. Had they evaluated their data protection procedures, they may have identified that their data scanning was inadequate.
Regular reviews like this could help reduce the risk of a data breach and also helps to show your customers that you are handling their data responsibly. Not auditing your policies on a regular basis could cause weaknesses to develop without you noticing, so make sure that all policies and procedures for data protection are always relevant and up to date.
Particularly in a small business, you’ll need to place some element of trust in employees to spot and flag up potential weaknesses. Because of this, training your employees to handle and process data responsibly is essential. If your employees are aware of best practices for handling and processing data, they are more likely to spot potential issues with your procedures.
Having well trained employees won’t stop attempts at malicious attacks, but if your staff are following procedures well, actually stealing data should be a lot more difficult. If you’re looking to train employees in data protection but don’t know where to start, we’ve produced an office manager’s data protection checklist that should point you in the right direction.
Co-Ordinate with 3rd Parties
In the case of the Talk Talk breach, the stolen data was part of a legacy system inherited from Tiscali. This illustrates how important it is to not only evaluate your own systems, but to be sure of any data kept by third parties. Companies should identify and eliminate the weaknesses they inherit from legacy systems, but most do not. Instead, many leave the vulnerabilities in place until the inevitable happens.
When coordinating with other organisations and sharing data, you should be evaluating the strength and reliability of these other parties. You are still responsible for your customer data whether it’s transferred to you from another organisation, or you’re sharing data with another company.
The data protection procedures of other companies are not totally within your control, so assess whether this could be a risk when sharing data. If your customer data is lost from a 3rd party system, it still reflects badly on your business and could damage customer trust.
Implement a Breach Plan
If the worst does happen, and customer data is lost, you need a strong plan in place and ready to go. Immediately after a data breach, your reaction could be the difference between keeping and losing customers.
But many large companies’ initial reaction to breaches are not decisive.
Think about your customers’ worries and anxieties after a data breach. Your response needs to be quick, decisive and reassuring. Particularly for a small business, something like a data breach could be incredibly damaging to customer confidence. If you’ve done everything possible to demonstrate best practice up to this point, reassure your customers that you are acting rapidly and keep them informed at every stage.
Learn from Experience
Perhaps the most telling and shocking fact about many large company’s data breaches, is that they have breaches over and over again - without learning from their experiences. If companies act appropriately after the first breach and carry out a full data protection and security audit, second, and particularly devastating third breaches, may not happen.
If customer trust is not significantly damaged by a data breach, then demonstrating that you have not learned from your mistakes by allowing another breach certainly will damage trust.
Your business has both legal and moral responsibilities to keep customer data secure. When it comes to your small business, demonstrate that you have learned from any data breaches or losses of data. Small businesses are built on the trust of their customers and on building strong relationships. Don’t let all of your hard work go to waste by handling data poorly.
The severity of the mistakes made by large companies are reflected in the record fines handed out by the ICO. Not only that but the loss of so many customers demonstrates the impact that a data breach can have on an organisation. Having strong data protection procedures, training and planning in place should ensure that your business is able to handle data responsibly and maintain the trust of your customers.