I’m worried that my computer could be hacked with confidential information and the personal details of my customers ending up on the internet. Any thoughts?

The UK is one of the world’s most advanced digital economies and this is both a strength and a weakness, according to a report on BBC News in February. And, earlier this year, The Sunday Times highlighted ‘an alarming reality: the digitalisation of modern life has dramatically outpaced the security required to keep us safe.’

Retailers and suppliers are exchanging information (some of it confidential) and data on a daily basis. But rarely do supply agreements address security and confidentiality issues. Sometimes a retailer will be able to access the supplier’s computer system. In this situation there should be an obligation on the retailer to keep usernames and passwords secret and to keep its own data security up to date.

Unless a retailer maintains up-to-date virus checks on its own computer, it could find itself with a major problem if, for example, they receive an email which carries a virus or has an attachment that does. And, if a bride goes into a shop with a USB stick to show the retailer a picture of a dress, it is not easy to sort out the problems which follow if the stick carries a virus.

The Data Protection Act requires businesses processing personal data to be registered with the Information Commissioner’s Office and keep this data secure. Bridal retailers are not exempt from the Act. Whilst the common law does impose obligations of confidentiality, without specific contractual provisions either retailer or supplier can be left exposed to the misuse of confidential information and data by the other.

From a supplier’s perspective, any agreement made with a stockist should include specific provisions addressing issues concerning the disclosure and use of confidential information. While many suppliers will rely on their own data security, there is good reason to require retailers to do the same and, where appropriate, to take steps to avoid hacking by third parties.

To minimise the damage from a data security breach - should one occur - it is essential that all parties develop and implement an ‘incident response plan’ to highlight each party’s responsibilities.

In the first two months of 2017, Fox Williams advised three clients on four cybersecurity breaches. In two cases, we notified the ICO - although there is no legal obligation to report breaches of security. However, from 25 May 2018, every business will be required by the General Data Protection Regulation to notify the ICO of certain types of data breaches within 72 hours of the business becoming aware of the breach.

It is often when things go wrong at the end of a relationship that issues concerning confidential commercial information and data security arise.
So, if you are reading this online, is anyone else reading it? And can they access your confidential commercial information and personal data?