Multilaw lawyers from Macpherson Kelley, Miller Nash, Penningtons Manches Cooper, and WKB Lawyers discuss digital security and the cost of failure in a data-driven world
There have been several known cybersecurity cases involving luxury brands recently. In 2020, Marriott Hotels were fined £18.4 million by the Information Commissioner’s Office (ICO - the UK’s data protection regulator) for a major data breach, affecting up to 339 million guests. The ICO found that, in breach of the General Data Protection Regulation (GDPR), Marriott Hotels had failed to put in place appropriate safeguards which led to personal information such as names, contact information and passport details being compromised in a cyberattack.
Even more recently, 2021 saw Italian fashion brand Moncler have files stolen in a ransomware attack in which the details of employees, suppliers, consultants, and customers were leaked. As the company refused to pay the $3 million ransom demand, the hackers published the stolen data on the dark web. Also in 2021, fashion brand French Connection was subject to a ransomware attack where hackers gained access to a selection of private internal company data after exploiting a security vulnerability in the company’s back-end systems.
In its Cost of a Data Breach Report 2021, global information technology company IBM stated that system complexity and compliance failures were among the top factors amplifying the costs of data breaches. According to IBM statistics, the average total cost of a data breach varies between industries, for example, $3.03 million in hospitality, $3.27 million in retail, and $3.75 million in transportation. These statistics reflect the information on data breaches in all sectors, both luxury and non-luxury, and demonstrate how costly failures in a data-driven world can be across the board.
The cost of cybercrime is so high because of data value, and according to The Economist, “the world’s most valuable resource is no longer oil – it’s data”.
The threat of a cyberattack is very real and one which is increasing given the digitisation of brands and increased sophistication of cyber criminals and state-sponsored attacks. Like most businesses, luxury brand houses hold a raft of personal data and other information, but what often makes them more attractive targets is the nature and type of data they hold, and the celebrity or wealthy position of a high proportion of their clientele. Individuals with a high and public profile (whether they’re a celebrity, social influencer, or business leader) can attract strong interest in their personal data. By their nature, luxury brands have a wealthy clientele and a strong association with quality, sophistication, prestige, and profile. This exclusivity and affluence are what has led luxury brands to be high profile and frequent targets of cyber-attacks, as the information they collect is so incredibly valuable.
Luxury brands as attractive targets
Not only is understanding the range of personal data and other information held by luxury brands essential to appreciate just why a brand house is a prime target for cyber-attack, but also to devise and implement suitable data policies, procedures, protections, and protocols. There are three key types of personal and business data of particular significance for luxury brand houses:
- Personal data (which may also include sensitive or health information);
- Product data (which may be linked to a particular worthy owner); and
- Intellectual property (IP).
Personal data: The personal data that luxury brands collect from their clientele is usually extensive and is increasingly more detailed. Brand houses have the resources to push the technological envelope of retail. Their clientele demand increasingly personalised product and service offerings and sales experiences, with the vast majority [85%] of luxury brand sales coming from clientele already registered in their databases. The personal data (including sensitive information) often being collected, held, used, stored, and shared by luxury brands can be broken down into a range of categories, namely:
- Basic retail information including a data subject’s name, address, phone numbers, email addresses, purchase history, memberships etc.;
- Specific transactional and purchasing information such as credit card details, banking details, identity documentation, biometric information, photographs, and video imagery etc.;
- Profiling information like product and sales experience preferences, usage preferences, family information, health details, research/survey answers, social media interactions etc.; and
- Industry-specific data depending on the product or service being offered. For instance, a hotel chain will collect guest dietary, disability, health, and location information; luxury car brands will collect vehicle telemetry etc.
Personal data constitutes a serious competitive advantage, enabling brands to identify and connect with their consumers, open new markets, understand different purchasing behaviours, and build long-term engagement. The South Korean unit of the French luxury brand Chanel has already faced an attack related to its customers’ personal data. According to a statement from Chanel, there was a leak of personal data, including customer names, birth dates, phone numbers, and purchase histories.
Next to the retail sector, another attractive sector for cyber criminals regarding personal data is the hospitality industry. Hospitality businesses are digital treasure troves as they keep a massive amount of personal, sensitive information about millions of guests under their control each and every day. According to forecasts from the World Tourism Organisation – the United Nations’ specialised agency responsible for the promotion of responsible, sustainable, and universally accessible tourism – we can expect a significant increase in international tourist arrivals, up to 1.8 billion by 2030, meaning the ways in which hospitality organisations manage customer data are far more important than ever before.
Further, with technological advancements increasing at a rapid rate, and with almost every step of the advertising, sales and post-sales service being electronic (or personal contacts being tracked or reviewed and then reduced to computerised form) there may be a significant amount of additional data tied to a client profile. For example, heat-mapping of the in-store retail experience to determine where a client spends the most time browsing; client tracking to trace browse times; and camera/video to capture client facial expressions.
Without downplaying the base-level legal necessity to protect personal data in accordance with relevant privacy laws, it is also the case that the clientele of luxury brands value privacy, exclusivity, anonymity, and personal safety. Loss of personal data for this type of clientele can be incredibly damaging – financially, reputationally, professionally and personally.
Product Information: Many luxury brands have a wealth of industry- or product-specific information which – although not necessarily tied back to a client – would still be incredibly damaging to the brand house if lost, taken by a cybercriminal, or otherwise compromised.
For example, a key data source are anti-counterfeiting measures; luxury products are often individually verified, tracked, and monitored, and the brand’s databases often hold purchasing histories, unique product identifiers, store stockholdings, shipping, and other tracking information. If these databases are compromised or rendered inaccessible, then the ability to verify a genuine product is lost and its value or worth may be eroded. Worse, if these databases were to be sold to counterfeiters, then the unique product codes could be replicated, and counterfeits would show up as genuine products when checked.
As technology continues to advance, luxury brand houses may also deal in non-fungible tokens and/or cryptocurrencies. If these features and unique keys are encrypted, stolen, or compromised, then the items may be completely irrecoverable.
Intellectual Property: The IP held by luxury brands and residing in their products is a large part of their value proposition. This IP may relate to existing and future products. The integrity, exclusivity and likely profitability of luxury brands would be harmed if their IP was mishandled through unauthorised access or disclosure. Again, the type of IP held by a luxury brand may be industry- or product-specific. Fashion brands (in the broad sense) rely heavily on the innovation of their designs, and on being “first to market” with product ranges. The relevant IP for fashion houses would relate to upcoming designs, prototypes, next season’s patterns and so forth.. Were this IP taken and disclosed in advance of the launch, it would decimate any exclusivity of the range.
Products that are technically superior or advanced (e.g. timepieces, vehicles, electronics, cosmetics, and health/wellness products) possess valuable IP in relation to production processes, ingredients, mechanical movements, software, and hardware. This IP can be incredibly attractive to more low-cost (and disreputable) competitors. If the IP is not or cannot be protected by copyright, patent, or design rights, then once in the market, anyone can copy and profit from it.
Digital security and reducing data risks
A data breach can seriously damage a luxury brand’s image. Ultimately, prevention and mitigation are the best safeguards when it comes to cybersecurity. Once a luxury brand house understands the full scope and extent of the personal data and other information it holds, it can then take specific, deliberate, and informed steps to reduce its attractiveness as a cyber target.
While specific measures will depend on the nature of an organisation, luxury brands would benefit from enhanced investment in cybersecurity. Below are several examples of practical steps that all businesses can generally take to improve digital security:
- Technical audits: Regular audits should be undertaken to fully understand an organisation’s data, hardware, devices, systems, and personnel. Organisations should always seek to identify their vulnerabilities.
- Supply chain review: Organisations should review their supply chain to consider what measures key suppliers have taken, what contractual obligations the supplier has, and what rights there are against them. Also, do suppliers have access to data beyond what they need?
- Cybersecurity policies and processes: Designated incident management teams and a practical response plan should be established to mitigate damage and minimise business disruption. There should be policies and procedures which cover – among others – data and system security, regulatory and compliance issues, businesses continuity plans, security monitoring, cyber incident response plans, and incident logs.
- Lastly, organisations can also become ISO accredited. Certification can be useful to add credibility by demonstrating that an organisation or its product or services meets a prescribed set of information security and management requirements.
Despite the temptation to collect all and any available data from and about its clientele, luxury brands should critically analyse “what” type and extent of personal data and other information is actually necessary (or reasonably necessary) for it to achieve its business functions. For instance, personal data should only be collected from the individual directly (where possible); personal data should only be used, accessed, and analysed by employees and/or trading partner affiliates who have a ‘need to know’ (and even then, only to the extent necessary); and data should be periodically, routinely – and securely – archived, purged, de-identified or destroyed in accordance with relevant data retention periods for each jurisdiction in which the business operates.
Not all security incidents are significant, and many of them can be handled by Information Technology (IT) departments. When a serious event occurs however, it is important to refer to a response plan and pull together the response team. The most challenging events can take many forms, such as ransomware, data theft, phishing and spoofing scams, social engineering, and wire transfer fraud, and each of these requires a different response. But in all cases, IT teams will need to secure systems as soon as possible. This step may require taking accounts offline and using alternative methods of communication until there is confirmation that the system is no longer at risk. Gather facts and avoid panic or the urge to make public statements before clearly determining what has happened. Depending on the incident, an organisation may ultimately need to engage a third-party forensic expert to determine what occurred and to ensure the bad actors are no longer in a company’s system.
Consequences for non-compliance: A cross-jurisdictional analysis
Luxury leaders can experience severe consequences if they fail to comply with the requisite data standards. For example, in August 2019, British Airways, the UK flag carrier, faced a $230 million fine as a result of a data breach which leaked customer data, including their names, billing addresses, email addresses, and payment information (including bank card numbers, expiry dates, and CVV codes) due to a cyber-attack (note that this fine was later reduced to $26 million). Two years later, in July 2021, an $886 million fine was imposed on Amazon for alleged breaches of its duties under the GDPR.
Businesses that are covered by the Australian privacy legislation have an obligation to notify both the Office of the Australian Information Commissioner and affected individuals on the occurrence of any ‘eligible data breach’. An ‘eligible data breach’ occurs where:
- There is unauthorised access to, unauthorised disclosure of, or loss of personal data;
- This is likely to result in serious harm to the affected individual/s; and
- The business is unable to prevent the likely risk of serious harm by way of remedial action.
While it is the case that the business has some control over the content and narrative of its communications to affected individuals, the mandated publication of the circumstances of a data breach incident can have serious and sustained implications for brand loyalty, reputation, and trust.
From the legal perspective, reducing the risk of personal data leaks is strongly connected to GDPR compliance. The GDPR applies within the territory of the European Union (EU) to all EU residents. For example, if a non-EU luxury leader conducts e-commerce activities within the EU in any EU language, such as by offering its products in Polish and then selling and delivering them to Poland, this entity would be required to comply with the GDPR.
The GDPR provides general standard measures which must be implemented. It also encourages businesses which collect personal data to do so accurately, to keep its data up to date, and to process it in a lawful manner which is fair and transparent with respect to the data subject. The GDPR provides for a limited range of legitimate purposes which must be specified explicitly to the data subject and that the duration of processing should be only the length of time necessary for the specified purposes. By complying with the GDPR’s requirements, luxury leaders can ensure that they properly implement the principles of security, integrity, and confidentiality. Furthermore, under the GDPR, consumers (or any persons) who have disclosed their personal data to a company retain a certain degree of control over their data, since the GDPR guarantees certain special rights. All clients, customers, suppliers, or contractors enjoy the following rights: the right to be informed; the right to access their data; the right to rectify their data; the right of erasure; the right to restrict processing; the right to data portability; and the right to object to data processing.
Note that the GDPR can expose brands with weak security systems, since businesses are required to give notice of personal data breaches, no later than 72 hours after becoming aware of a breach, to the competent supervisory authority. Therefore, the GDPR mandates that businesses act with transparency, urgency, and honesty when dealing with data breaches.
There is no single cybersecurity law in the UK. Rather, it is a patchwork of cybersecurity, privacy, and national security legislation. A large square on the patchwork is the Data Protection Act 2018 (DPA), which implements the UK GDPR governing the processing of personal data. The GDPR impacts how businesses assess, mitigate, and treat cybersecurity risks. It specifically requires organisations to adopt “appropriate technical or organisational measures” when processing personal data. Given the global scale of many luxury brands, it is also important to consider the extraterritorial effect of international laws.
The ICO has the power to issue sanctions for breach of the UK GDPR and DPA including warnings, compliance orders, bans on processing data, and fines. The maximum fine is £17.5 million or 4% of annual global turnover, whichever is greater. Significant breaches can therefore cost an organisation millions of pounds. Apart from financial penalties, other direct costs include potential lawsuits, remuneration to customers, and the recouping of any lost data. Indirect losses can include reputational damage and loss of consumer and supplier trust.
The US does not have a single primary data protection law for personal information. Instead, numerous federal, state, and local laws contain data privacy and security requirements. At the federal level, there are specific laws protecting personal information related to health, finances, children, education records, consumer credit and other data. All of the 50 US states and the District of Columbia have their own general data breach notification laws with different definitions of what constitutes personal information, what is a breach, how much time you have to report a breach to affected individuals and authorities, and what the breach notification must contain.
The general state laws regarding personal information likely have the most impact on luxury brands, since they typically do not have the sector-specific personal information covered by federal laws. So, when there is a data security incident compromising personal information, luxury brands must go through each of these state laws and determine whether they require notification and the means of delivering it.
Some states may require notification while others do not for the same incident. The definition of personal information is narrower in the US than in the UK and EU and typically involves name plus social security number, passport number, financial account access information and other sensitive information. But there are inconsistencies. For example, name plus date of birth is deemed personal information in some states but not others. Some states have a specific time to report a breach and others do not.
Other inconsistencies include some states that require companies to report how an incident occurred, while Massachusetts, for example, prohibits informing affected individuals about the nature of the incident in the notification letter. Nevertheless, it is possible to put together one or two notification communications to affected parties that check all the boxes even in the event of a nationwide breach. Affected companies should also be aware of obligations imposed by credit card brands to protect credit card information and report breaches.
What can luxury brands do to protect themselves?
Prevention is better than cure when it comes to cybersecurity. Organisations should have policies in place to deal with data breaches. Should a breach occur, a business continuity plan will help to minimise any disruption to the businesses. A cyber incident response plan will also help to mitigate any breach. An incident log and review process will help monitor cyberattacks, identify any vulnerabilities, and be useful for evaluating lessons learned.
From an accountability perspective, a new role of Chief Information Security Officer could be created, tasked with leading the approach to cybersecurity and working closely with the legal and privacy teams. Clear roles and responsibilities are vital to cyber resilience. It is also important to raise awareness of cyber risks. Staff should be trained, continually reminded of the risks, and encouraged to report any suspicious activities. Third-party suppliers should be fully incorporated into both detection and response measures.
Given the crisis scenario of a “live” attack and the potential for widespread damage caused, many organisations are turning to penetration testing of systems and cyberattack simulations to identify vulnerabilities and test responses in a controlled environment. These are useful exercises provided that any vulnerabilities and issues identified are promptly addressed. Each incident is an opportunity to learn what practices to limit harm the next time. Evaluate whether a team responded appropriately and whether additional resources are needed to prevent similar events in the future. There are many nuances that will impact actions in each case. Not every incident is a catastrophe, but they can be worse if a plan is not in place.
The authors are members of the global law firm network Multilaw. They thank Hayley Grammer, business and communications executive at Multilaw, for her editing assistance with this article.
Paul Kirton is legal practice principal and director, commercial, and Kelly Dickson is a managing principal lawyer, commercial at Australian law firm Macpherson Kelley. They can be reached at firstname.lastname@example.org and Kelly.email@example.com.
David L. Rice is a partner in Miller Nash’s Seattle office. He can be reached at firstname.lastname@example.org.
Oliver Kidd is a partner and Jenny Wright is a trainee at UK firm Penningtons Manches Cooper. They can be reached at email@example.com and firstname.lastname@example.org.
Aleksandra Bączykowska is an advocate and Klaudia Kacprzyk is a lawyer with Polish law firm WKB Lawyers. Yuliia Petrenko is working at WKB as part of the firm’s Ukrainian secondment program. They can be reached at email@example.com, firstname.lastname@example.org and email@example.com.