Cyber security firm IT Governance has urged heads of human resources to push for tighter employee data security measures to avoid data breaches that could result in costly law suits.
This follows the 2014 data breach involving the personal details of 99,998 employees of the UK supermarket group Morrisons, which resulted in
6,000 employees taking legal action against the company.
“All major retailers should take the Morrisons data breach as a warning” says Alan Calder, the founder and executive chairman of IT Governance.
Nick McAleenan of JMW Solicitors, representing the Morrisons employees, said: “This case has major implications for every employee and every employer. Whenever employers are given personal details of their staff, they have a duty to look after them.”
Many retailers have famously been targets of cyber attacks: only two years ago, the chief executive of major US retailer Target resigned after hackers stole the personal information of 70 million customers.
The British Retail Consortium recently reported that fraud and cyber crime against major UK retailers rose by 55 per cent in the last year.
Alan Calder continues: “Heads of HR need to be as concerned about data security as heads of IT. The new
EU General Data Protection Regulation (GDPR) – with its mandatory breach reporting requirements and fines of up to 4% of global revenue – will result in significant consequences for data breaches in the future. Boards should be concerned about these risks, and heads of HR need to be pushing for adequate technical, administrative and operational security measures to prevent data breaches and the exposure of employees’ personal details.
“To avoid landing in the same situation as Morrisons, organisations should take measures now in preparation for the new EU GDPR that will come into force in early 2018. By implementing the international information security standard,
ISO 27001, organisations will be well placed to meet the Regulation’s compliance objectives,” said Calder.
ISO 27001 is a global standard that sets out the specification for implementing and maintaining an information security management system (ISMS) in order to achieve an organisation’s data security objectives.
Recognising that technology alone is insufficient to prevent data breaches, ISO 27001 requires companies to implement appropriate processes and measures, including staff awareness training, as part of a holistic approach to information security that encompasses people, processes and technology.
“The overall approach by organisations to information security needs to be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness,” said Alan Calder.
ISO 27001 can provide an effective solution for organisations looking to achieve compliance with the GDPR. IT Governance’s extensive expertise and solid track record of helping companies implement ISO 27001, combined with its specialist data privacy consultancy, can help organisations develop a compliance pathway that meets the objectives of the EU GDPR by 2018.
To find out more about
the implications that the EU GDPR could have for your organisation, or to find out about IT Governance’s
EU GDPR readiness assessments, gap analyses and data protection audits, please contact the consultancy team directly at servicecentre@itgovernance.co.uk or call them on +44 (0)845 070 1750.