In practical terms for customers, although it is possible for EBay customers to now change their passwords, this may do little to prevent identity theft given it is understood that customers' names, addresses and dates of birth are already in the hands of the hackers responsible.
TRP: What recourse do EBay customers have for individual compensation?
EC: Individuals whose personal data has been stolen can make a claim under section 13 of the Data Protection Act 1998 for financial compensation from EBay where they have suffered damage or distress due to a breach of data protection requirements.
Although it is a defence for EBay to demonstrate that it "had taken such care as in all the circumstances was reasonably required" to keep the personal data of individuals safe, if the Information Commissioner makes a finding that EBay has breached the seventh data protection principle, it will be difficult for it to rely on this defence in responding to individual claims for compensation.
TRP: What lessons should other businesses learn from EBay's predicament?
EC: Any organisation which holds personal data needs to ensure that the security measures in place to protect this data are "appropriate." Given that hackers keep pace, and sometimes outpace, the development of latest security measures, software security needs to be reviewed and updated regularly.
Alongside technological solutions, every organisation should ensure they have policies in place, train their staff and secure physical access to information systems, including encrypting all portable devices. The consequences of failing to take appropriate security measures are serious. If the threat of a maximum £500,000 fine is not incentive enough, there is the added cost of compensation claims.
Most importantly, for any retail business reliant upon its customers providing personal data to operate, the public's loss of confidence in a company's security may cause unquantifiable loss in terms of business revenue.
