It’s almost unthinkable that these days, in an era of backups and cloud and data security and all the weird and wonderful mechanisms, systems, cyber-speak etc that we have all come to take for granted as part of normal business operations, it might still be possible to accidentally delete a commercial website or indeed, a number of them, belonging to different businesses…Yet courtesy of an incredibly simple command inadvertently sent to a couple of servers hosting a substantial number of corporate websites, that is exactly what happened last week.
The attached article tells the astonishing and quite troubling tale of what happened to the web-hosting business, 123-reg when an error made during server maintenance activity resulted in the digital erasure of a currently unspecified number of commercial websites that it was responsible for hosting. There was also no automatic backup in place unless 123-reg’s customers had themselves made separate arrangements, or paid 123-reg an extra fee for a backup service – although customers were reportedly warned of the absence of this protection when they signed up with the hosting business. Those affected businesses have been left without a website to trade from.
What can be learned from this? Well, it now sounds rather self-evident to point out that businesses should regularly back up the data that they hold. This is not just to ensure against the online trading-paralysis experience that a number of 123-reg’s customers suffered. It’s also so that you can ensure you meet your legal obligations to your customers in the event of a data loss, especially where that data is their data.
Under the UK data protection laws, the amount of personal data that businesses must legally process and store in a safe and secure environment is now very substantial. So it’s vital to ensure that you have a safety net in case your normal method of recording and storing that data fails.
Where a data loss occurs, you need to move quickly to assess what action should be taken to remedy the breach, and whether it’s the type of breach that should be reported to the Information Commissioners Office (ICO). There’s no legal requirement to report a data loss to the ICO but they recommend that they’re notified of all serious breaches. What’s a serious breach? There’s no hard and fast rule, largely in recognition that data takes many forms these days and there are lots of different ways to store and protect it. So whilst it’s not ideal, you’ll have to assess any loss according to the particular circumstances that have arisen. The ICO has published some helpful guidance to help you and if you conclude that you’re looking at something quite serious, it would be wise to take advice from a legal expert. Here’s the ICO’s guidance: https://ico.org.uk/media/for-organisations/documents/1536/breach_reporting.pdf
Better still, it’s worth taking a look at that guidance now, so you can ensure you’re getting it right today.
Why does it matter to get this right? The ICO can issue a fine of up to £500,000 for a serious breach of the Data Protection Act. Following the ICO’s guidance can help you to avoid this.
It’s not yet clear whether 123-reg will face a penalty for the accidental deletion of these websites. But it’s unsurprising that whatever action the ICO might take, there’s already a queue of angry business customers losing sales daily, who are lining up at 123-reg’s door.
Web hosting firm 123-reg has accidentally deleted an unspecified number of its customers' websites. The company, which hosts 1.7m sites in the UK, said an error made during maintenance "effectively deleted" what was on some of its servers.