The risk of a data breach is increasing in the retail industry as retailers accumulate more and more personal information on their customers as part of their ‘Big Data’ initiatives. As such, the number of retail businesses reporting data breaches to the Information Commissioner's Office has doubled in just one year, jumping from 19 in 2015/16 to 38 in 2016/17, says law firm, RPC.
The rise of online shopping, loyalty programmes, digital marketing and offering electronic receipts in store mean that even a small multiple retailer will be gathering exactly the kind of data that hackers will be looking for, and the retail industry is beginning to feel the pressure to invest more heavily in cyber security.
The regulatory burden and financial risks involved in a data breach will increase substantially when the General Data Protection Regulation (GDPR) comes into force in May 2018. These rules will make reporting breaches mandatory. As companies are not currently required to report every attack they suffer, the actual number of data breaches in the retail sector is likely to be even higher.
Jeremy Drew, Partner at RPC, comments: “Retailers are a goldmine of personal data but their high profile nature and sometimes ageing complex systems make them a popular target for hackers. There are so many competing pressures on a retailer’s costs at the moment – a rise in the national minimum wage, rates increases, exchange rate falls, as well as trying to keep ahead of technology improvements – that a proper overhaul of cyber defences can get pushed onto the back burner.”
Data breaches are already the second greatest cause of concern for business continuity professionals, according to the Business Continuity Institute's latest Horizon Scan Report, and once this legislation comes into force, bringing with it higher penalties than already exist, this level of concern is only likely to increase. Organizations need to make sure they are aware of the requirements of the GDPR, and ensure that their data protection processes are robust enough to meet these requirements.
Jeremy Drew added: “As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we do expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained. No UK retailer wants to be in the position of some public examples who were forced to confirm that it took them nearly a year to close a data security breach.”