Sorry Sir, Our Data Breach Response Plan is Out of Stock
By Cameron Abbott, Michelle Aggromito and Max Evans
We are living in an era of online shopping, where consumers are more willing to hand over personal information for goods and services, and are less suspicious of whom they are divulging their personal information to. As a result, online businesses are in possession of a vast amount of their customers’ personal information. The recent hack of Sneaker Platform Stock-X reminds us yet again of the importance of businesses maintaining comprehensive and up to date security processes, and in particular, the necessity of having an adequate data breach response plan in place.
Stock-X, a platform for the re-sale of sneakers and apparel, was recently hacked, exposing over six million users’ personal data, including their real name, username, password, shoe size and trading currency. According to a Report by TechCrunch, Stock-X’s initial response was to reset customer passwords, stating that it was due to system updates. A spokesperson for Stock-X later disclosed to TechCruch that Stock-X was alerted to “suspicious activity”. TechCrunch reports; however, an unnamed data breach seller had contacted it claiming more than 6.8 million records were stolen from Stock-X in May, and that the records had been put up for sale and sold on the dark web for $300.
Failing to report breaches become a particular business concern when the EU General Data Protection Regulation (GDPR) is concerned. Under the GDPR, a controller must, without undue delay and where feasible, notify an EU supervisory authority not later than 72 hours after becoming aware of a personal data breach unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Failure to do so can render a controller liable for the lower threshold, but still severe, GDPR fine of up to the larger of €10,000,000 or 2% of total worldwide annual turnover. This is not to discount potential fines of up to €20,000,000 or 4% of total worldwide annual turnover for other infringements which may result from breaches.
Although this breach may potentially not trigger notification requirements, conduct such as failing to divulge a data breach to impacted individuals, provide any further details as to the breach and disclosing to the appropriate supervisory authority suggests a lack of sufficient data breach response processes. This is not uncommon as the changing online landscape often creeps up without sufficient thought being turned to instilling appropriate safeguards and processes when dealing with personal information.