European Data Protection Digest

DPA Warns Retailers

DATA PROTECTION—UK

August 12, 2011

The Information Commissioner's Office (ICO) has announced that cosmetics retailer Lush will not be fined for a breach that compromised the payment data of approximately 5,000 customers over a four-month period. According to an ICO news release, the company is required to "sign an undertaking" that says it will comply with the Payment Card Industry Data Security Standard (PCI DSS). Some are criticising the ICO for not fining the company, but the ICO's Sally-Anne Poole said, "This breach should serve as a warning to all retailers that online security must be taken seriously and that the PCI DSS or an equivalent must be followed at all times." The ICO has warned that companies that fail to adhere to the PCI DSS "or provide equivalent protection," risk bringing an enforcement action, according to an OUT-LAW.COM report.
Full Story