EBay has been the victim of what has been described as the 'biggest cyber-attack in history' with 233 million customers worldwide potentially being affected. Although customers' passwords remain safely encrypted, personal information including names, addresses and dates of birth have been hacked.
In the wake of this news, it has been confirmed that the Information Commissioner is working with European data authorities to take action against EBay, alongside the various investigations already underway in the US.
To help discover the implications of all this, we put some questions to legal expert Emily Carter, a partner at law firm Kingsley Napley LLP.
Tech Radar Pro: What is the Information Commissioner's Office's remit?
Emily Carter: The Information Commissioner's Office is the UK's independent authority tasked with upholding information rights in the public interest. It provides guidance on the application of the law relating to data protection and freedom of information and voluntary audits of information handling by organisations.
Where the requirements of those laws are breached, it will handle complaints and take any necessary enforcement action.
TRP: In what circumstances can the Information Commissioner's Office take action against a global internet business such as EBay?
EC: Christopher Graham, the Information Commissioner, confirmed on Friday that it must co-ordinate with other jurisdictions when considering a global internet company like EBay. The US Federal Trade Commission will launch an investigation because EBay is an American company.
Within Europe, the Luxembourg data protection authority will take the lead as EBay's European headquarters are in Luxembourg. However, given there are reportedly up to 14 million active UK customers affected, the Information Commissioner's Office could still take action here.
TRP: What does data protection law require companies such as EBay to do in order to protect against hacking?
EC: The seventh data protection principle requires companies to have in place "Appropriate technical and organisational measures" to guard against hacking and other unauthorised or unlawful processing of personal data. Whether security is appropriate will depend on the nature of the information in question and the harm that might result from its improper use.
Given the size and resources of a company like EBay, and considering the vast amounts of personal data within its possession, I would expect that the Information Commissioner may very quickly conclude that the only "appropriate" approach to security would be to maintain the very best and most update to data security systems available.
TRP: What sanctions are available to the Information Commissioner if Ebay has breached data protection law?
EC: The Information Commissioner is able to issue fines of up to £500,000. In a similar case last year, Sony was fined £250,000 by the Information Commisioner for not maintaining up to date security software leading to the hacking of personal data of millions of customers, which in this case included passwords and card details.
TRP: What duty does EBay have to inform customers of a problem in a timely fashion?
EC: There is currently no statutory duty upon those holding and processing personal data to inform either the Information Commissioner or the individuals affected if a security breach takes place. However, guidance issued by the Information Commisioner's Office states that in cases of serious data breach, the organisation should contact his office.
A breach will be considered serious where there is potential detriment to individuals. In this case, it appears that neither the Information Commissioner nor customers were informed for up to two weeks after the security breach was identified.
TRP: What is the potential impact of EBay's reported delay in alerting the data authorities and customers of a security breach?
EC: This is an issue which the Information Commissioner's Office can take into account when determining the appropriate level of financial penalty for the company.