Retail cyber attacks and the legal viewpoint is a simple one: as with any other organisation, retailers must protect their customers’ information.
Yet, in recent times, we’ve witnessed a lot of retail cyber attacks that were entirely preventable, and retailers are an obvious target for cyber-criminals.
Retail cyber security can be a complex matter. With numerous breach points along varying suppliers and across potentially hundreds of thousands of outlets, it’s not the easiest of issues to address, but the legal viewpoint remains that customers data must be protected, or retail cyber attacks will lead to legal action and compensation for victims.
Retail cyber attacks being hard to stop does not absolve legal responsibility
Retail cyber attacks can be hard to stop, but the duty remains to ensure that customer data is protected at all times. Retailers need to know their access points and vulnerabilities, and they need to ensure they have proper control of their cybersecurity. Failing to do so gives customers the right to bring legal actions against the retailers for the failure to protect their information.
Although virtually nothing is completely “unhackable”, so to speak, it’s not an absolute defence for organisations who fall foul of retail cyber attacks to shift the blame directly to the hackers and claim no responsibility for being the victim of a hack themselves.
Those who don’t know history are doomed to repeat it
To avoid retail cyber attacks, organisations only need to look at recent examples to learn how to protect themselves and therefore protect their customers.
WannaCry: ransomware that simply exploited older and more vulnerable systems. Retailers who fail to keep systems up-to-date and protected may face justified legal claims from customers.
Equifax: we’re representing a number of victims of the Equifax data breach. This stemmed from Equifax failing to patch a known vulnerability, and on top of that their own systems failed to identify the ongoing vulnerability. In our view, they’re liable to compensate victims.
Ticketmaster: another one we’re involved in. We’re fighting for the rights of victims of the recent Ticketmaster breach which was caused by Ticketmaster – a retailer themselves – using vulnerable third-party code for the payment process without even telling the authors of the code (who have since confirmed they would have warned against its use due to it not being secure for a payment process).
These examples show that retail cyber attacks can be caused by such simple and fixable vulnerabilities. Retailers can gain a competitive advantage from being cybersecurity savvy, so not only are these issues preventable, but they could also be profitable.
Customers who are the victims of retail cyber attacks may be able to claim for data breach compensation, and this in itself should serve as another deterrent for failing to act on cybersecurity.