While M&S hoped that their controversial strawberry sandwich would be the retail story of the summer, all such light hearted publicity has been significantly overshadowed by its devastating cyber breach.
The fashion and retail sector is facing an increasingly alarming trend of major cyber incidents and not just in the UK. In the last fortnight LVMH has admitted suffering data breaches in Hong Kong and Portugal involving the financial data of its customers.
These breaches follow those earlier this year suffered by North Face, Victoria’s Secret, Adidas, H&M as well as UK retailers M&S and Harrods. M&S in particular, is reported to be facing a major class action claim.
Fashion companies are particularly vulnerable due to their extensive customer databases and reliance on the online channel. The storage and processing of large volumes of personal data (including financial information), together with their deep pockets, also make these businesses especially attractive targets for cybercriminals.
The impact of such data breaches can be legally, financially and reputationally damaging. So what:
- is the relevant legal framework,
- prevention strategies should be followed by brands and retailers, and
- should they do if a data breach occurs?
What does the law say?
A data breach does not have to be cyber-attack related – data breaches can occur when an employee leaves their laptop on a train, or personal data is accidentally sent to the wrong person. Either of these data breaches could be reportable by the data controller to the Information Commissioner’s Office (ICO).
If a data breach is likely to risk individuals’ rights and freedoms, you must report it to the ICO without undue delay and within 72 hours of the organisation becoming aware of the breach. If you decide not to report the breach, you should document why such a decision has been made to justify your position if challenged by the ICO. It is best practice to maintain a data breach register as part of your incident response plan, recording all breaches – reportable or not.
The ICO has a self-assessment tool that can help assess reportability.
When reporting a breach, you must include details of:
- the nature of the breach;
- categories and approximate number of individuals and records affected;
- contact details for further information;
- likely consequences; and
- the measures taken or planned to address it.
If a data breach is likely to result in a high risk to individuals, you must report it to the impacted individuals without undue delay. High risk factors, may include:
- the sensitivity of the personal data (for example, financial data or information that reveals an individual’s religion or sexuality);
- the identity of the recipient (for example, a cyber-hacking group such as Scattered Spider or simply a person’s colleagues); and
- the number of people to whom the data has been disclosed.
Any notification should provide similar details to your report to the ICO and include advice on how individuals can protect themselves or mitigate the impact of the breach further (for example, changing passwords or being wary of phishing emails).
Prevention: Get your docs in a row
If your company handles personal data, it is required by law to implement appropriate technical and organisational measures to protect it. In addition to strong cybersecurity, brands and retailers should adopt these data-specific measures:
- Develop robust policies: A data protection policy should set out how to escalate suspected breaches and clarify what information must be provided to the ICO and affected individuals. It should also advise employees on safeguarding personal data and document breach procedures.
- Data mapping: It is important to know and record where personal data (in particular, sensitive data) is kept, how it comes in, and how it is deleted.
- Risky business: Conduct and maintain a risk assessment to evaluate the likelihood and risks of any data breach.
- Build up your defences: Make sure data security is ingrained in your company culture. For example, ensure to implement preventative measures such as staff training, supervision, updated procedures, a culture of trust, access controls, system audits, and technical safeguards like disabling autofill. This can be recorded in an appropriate IT security policy.
- Cross-team communication: Work closely with your IT team – they can assist with training other staff (for example, through fake phishing emails and relevant staff training). Make breach prevention and response guidance readily available to all staff via email or your intranet.
- Check your suppliers: IT providers (or any third parties that handle your data) should be vetted prior to engagement. Ensure that your contracts contain appropriate data protection provisions (especially if the service provider is acting as a data processor).
- Insurance: Cyber insurance is increasingly essential. Make sure your review the policy wording to ensure you understand the extent of your coverage.
There has been a breach – now what?
Even with best efforts, no organisation is immune. A fast and structured response can significantly limit damage. Suggested steps include the following:
- Activate incident response plan: Mobilise your response team (legal, IT, comms, and leadership) and follow clearly defined escalation steps.
- Contain the breach: Stop the breach from spreading – isolate affected systems and revoke access but make sure to preserve relevant evidence.
- Gather the facts promptly: Begin investigating and recording critical facts:
- What happened and when?What individuals are affected and what kind of data is involved?
- What protective measures (for example, encryption) were in place?
- Report to the ICO: Failure to report a qualifying breach can lead to penalties. Even if not reportable, document your rationale.
- Consider notifying affected individuals: Where there’s high risk to impacted individuals, you should notify them without undue delay. Be clear about what happened and what steps they can take.
- Notify insurers: If you have cyber insurance, you are likely to have an obligation to notify your insurers within a fixed time frame.
- Public communications strategy: Decide whether external messaging is needed. Coordinate timing and content carefully.
- Document everything: Keep detailed records of what occurred, what decisions were made, and what actions were taken. This will help with regulatory scrutiny or claims.
- Move to long-term lessons: After the dust settles, conduct a root cause analysis and revise policies, training or controls to address any gaps. Share lessons learned internally to build resilience.
Key takeaways
During the Covid pandemic PPE was all the rage. Now PPCE is in fashion:
- PREVENT: Build a culture of security with strong policies, training and controls.
- PREPARE: Have a rehearsed, cross-functional incident response plan ready to go.
- COMPLY: Know your legal obligations around breach notification and documentation.
- EVOLVE: Treat every breach (or near miss) as a learning opportunity.
Authors
Related legal expertise
Connect with us
