THE recent story by the BBC concerning the security measures taken on Tesco’s website and the subsequent investigation by the UK’s independent authority on data protection, the Information Commissioner’s Office (ICO), illustrates the importance to businesses of data protection and in ensuring that website security measures are current.
For those not familiar with the story, data security specialists were critical of how Tesco stored passwords of shoppers who used Tesco’s shopping website. Some specialists argued that there should be cryptographic storage of individuals’ login credentials (which is basically a form of encryption) and that HTTPS (being “Hypertext Transfer Protocol Secure”) should be used across the entire website.
The Data Protection Act provides that organisations must take appropriate measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage to personal data. Further, in relation to the security requirements for websites collecting personal data, the appropriate level of security depends largely on the type of personal data being collected and the potential damage that may result should there be any unauthorised or unlawful processing, or accidental loss, destruction or damage to this personal data.
Clearly these principles are general, and the lack of detail causes problems for organisations when they are attempting to identify the security measures they should be taking. This is especially the case in relation to website security, which is a constantly evolving and complex area. This may be part of the problem Tesco faced when developing and maintaining its website security procedures. However, guidance from the ICO has made it clear that, if the personal data in question poses any risk to individuals should it be wrongly disclosed or lost, the initial collection and storage should only occur pursuant to a secure, encryption based system and be held on a server also secured by encryption.
We must remember that there has been no security breach of Tesco’s systems and that determining the appropriate level of website security is not straightforward. However, this story shows that all organisations collecting personal data online, not just those the size of Tesco, should frequently review their website security measures to ensure the technical measures comply with good industry practice and are commensurate with the personal data being collected.
Matt Johnston is a Senior Associate in the Commercial Department at Harrison Clark, heading up the Cheltenham team. Matt specialises in data protection, technology and e-commerce. Tel: 01242 216177