Data Protection: Information Security and the Construction Industry
Earlier this month, the construction company known as Construction Materials Online Limited (CMO) was fined £55,000 by the Information Commissioner’s Office (ICO) for breaching the laws on data protection and information security.
So what happened?
CMO operated a website which enabled customers to buy building materials online. CMO’s website was created by a third party website developer, and unknown to CMO, the website’s log-in pages contained a coding error.
This coding error created a vulnerability which allowed a hacker to modify payment pages and access the personal banking details of over 600 customers, including the names, addresses, bank account numbers and sort codes of customers.
What did the ICO say?
The ICO (the data protection regulator in the UK) found that CMO, as the data controller, failed to take appropriate and technical measures against unauthorised or unlawful processing of personal data as is required by principle 7 of the Data Protection Act 1998 (DPA).
In particular, the ICO found that CMO failed to:
- carry out regular penetration testing of the website which would have detected the coding error; and
- ensure that the passwords on the website were sufficiently complex to resist a brute-force attack on the stored hash values (hashing is like a form of encryption whereby a password is turned into a scrambled representation of itself).
What is principle 7?
Principle 7 requires organisations to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. According to the ICO’s guidance, in practice, this principle means that organisations must:
- design their security to suit the nature of the personal data held by the organisation;
- designate a person or team with responsibility for ensuring information security;
- make sure the organisation has appropriate physical and technical security, and that the organisation’s policies and procedures are robust and reliable; and
- be ready to respond to any security breach quickly and effectively.
Why should you care?
- The construction industry is becoming increasingly more at risk to cyber-crime (and therefore data security breaches) as it becomes more connected through internet-connected systems like BMI and project management software.
- The coding error was made by a third party, and not by CMO, yet the ICO still found CMO to be in breach of the DPA. CMO was found liable for not conducting regular and routine testing of its website. If you have a website, you must ensure it is regularly tested for security vulnerabilities to avoid breaching the DPA.
- The passwords were hashed – which is a form of data security protection. However, the passwords were too simple and so the hacker was able to easily derive the passwords from the hash values. It is not enough to use hashing, salting or other encryption techniques if the passwords are easy to guess. Make sure the passwords your website uses are sufficiently complex e.g. use numbers, capitals and symbols.
- In 12 months’ time, on 25 May 2018, the EU’s General Data Protection (GDPR) will come into force and radically change the rules on data protection within the UK. The potential fines under the GDPR for a breach of data security will be much higher than the current fines under the DPA – being the higher of €20m or 4% of an organisation’s total worldwide turnover.
Contact our Specialist Compliance and Regulatory Lawyers
MacRoberts’ team of data protection specialists can provide expertise and advice to businesses across all sectors wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.