1. The Times
3 December 2015
Jingle bells or alarm bells? Digital shopping is dangerous for consumers
but they themselves must take responsibility
The nights are drawing in, Christmas is coming, and retailers are getting fat on the back of
Black Friday and Cyber Monday, which boosted annual high street sales this year to record
levels. Of course, sales initiatives like these also allow retailers to increase their collection of
personal data, offering a window to the lives of their customers and their buying habits. So, is
it jingle bells or rather alarm bells that consumers should have ringing in their ears?
The various touch points for data transfer to retailers are now quite staggering — from store
loyalty cards to more covert monitoring such as using the GPS signal on our mobile phones
to monitor which aisles we spend most time in at the supermarket. It’s become all too easy
for us to be parted from our personal data, often without realising it. What makes this trend
more worrying is how we often rely on the same information as “keys” to access our bank
accounts and other private aspects of our lives.
So while retailers will undoubtedly want our data for their own legitimate commercial
purposes, cyber criminals are also on the lookout for it too. Personal data is big business on
the black market and worth a fortune in the wrong hands — increasing the risks of
conducting business on line.
Perhaps most surprising, then, is that the risks we need to be alert to but regularly miss are
not new. Many will be familiar to consumers. It’s the new ways that technology allows them
to manifest that often catches us unawares.
Crime is a good example. There are now frequent, almost daily reports of retailers websites
coming under attack from cyber criminals. Such encounters are generally followed by social-
2. engineering scams, in which fraudsters use stolen data to impersonate retailers, win
customers’ confidence and then trick them into transferring money into fake bank accounts.
Retailers undoubtedly have a part to play to keep us safe when harvesting our personal
information. They are obliged to take all technically appropriate steps to protect us but,
worryingly, the law doesn’t specify what “appropriate” means. The rationale for this is it
allows companies flexibility to decide, but increasingly this approach is being shown to be
flawed. The regularity of data theft tells us so. Inconsistency and uncertainty is the result.
For retailers this has to be a serious concern for the boardroom; get it wrong and significant
reputational damage and liabilities will be lurking around the corner.
The bottom line, though, is that consumers have also got to start taking more responsibility
for the protection of their digital assets. It’s a two-way street. More care about to whom they
give their personal information and the purposes for which they agree it can be used is the
place to start. Ensuring that internet security systems on PCs and smart devices are up-to-
date, while also being more alert to decoy websites set up by fraudsters are important basic
measures. Only through taking such steps routinely themselves do consumers stand a chance
of keeping the criminals in check. The battle cannot be won by retailers on their own.
Ed Lewis is a partner in the insurance and eeinsurance team and Kurt Rowe is
an associate in the market affairs group of Weightmans LLP