Conclusions and recommendations
1.We await the outcome of the ICO investigation into the TalkTalk cyber-attack and data breach, and note the comment from the ICO that the time taken for the investigation is partly due to the international dimension to the investigation. We accept this, but regret that, some eight months after the breach, customers are no closer to a clear understanding of what happened. Although the Information Commissioner did not complain about lack of capacity, it seems evident that 30 enforcement staff are not enough to handle 1,000 cases and almost 200,000 public concerns a year, even if the vast majority of cases are found not to warrant detailed investigation. We suggest that the new Information Commissioner make an assessment of resources and priorities as soon as possible. (Paragraph 11)
2.However, it is important that TalkTalk publish as much of the PWC investigation as commercially possible without delay, and set out how they will implement any necessary changes. (Paragraph 12)
3.There needs to be a step change in consumer awareness of on-line and telephone scams. The Government should initiate a public awareness-raising campaign, on a par with its campaign to promote smoke alarm testing. All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine. This verification mechanism should be clearly signposted and readily accessible, as with existing customer contact and complaints mechanisms. (Paragraph 14)
4.It is appropriate for the CEO to lead a crisis response, should a major attack arise. But cyber security should sit with someone able to take full day-to-day responsibility, with Board oversight, and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack. To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board. (Paragraph 16)
5.The ICO should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches. A data breach facilitated by a ‘plain vanilla’ SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine. We were also surprised that there is no requirement to make security a major consideration in the design of new IT systems and apps. We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary. (Paragraph 18)
6.In major organisations, where the risks of attack are significant, the person responsible for cyber-security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has an actual breach. (Paragraph 20)
7.Telecoms companies should clarify this point in simple language for consumers, so that they can make an informed choice when choosing a service or product. (Paragraph 23)
8.We believe it should be easier for consumers to claim compensation if they have been the victim of a data breach. There are a number of entities (for example the Citizens Advice Bureau, ICO and police victim support units) that could in principle provide further advice to consumers on seeking redress through the small claims process. It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach. The ICO should assess if adequate redress is being provided by the small claims process. (Paragraph 25)
9.All telecommunications companies and on-line retailers, and other cyber-vulnerable organisations, should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers. (Paragraph 26)
10.Cyber Essentials should be regularly updated to take account of more recent attacks, including the need for security, incident management and recovery plans and processes for responding to cyber-ransom demands. (Paragraph 30)
11.The ICO and Cyber Essentials should publish further guidance on informing the relevant authorities and include best-practice examples of how to inform in an appropriate way those affected, in order to strike the best possible balance between protecting information that is sensitive to police investigations, whilst recognising consumer/customer requirements to be made aware of a breach that may affect them. This is particularly relevant as the EU GDPR will extend the obligation to inform consumers to all companies and organisation, not just telecommunications companies and ISPs. (Paragraph 33)
12.The ICO should introduce an incentive structure that inhibits delays, for example escalating fines for delays in reporting a breach. At present the ICO can only issue a fixed fine of £1,000 for failure to report a data breach. There should also be scope to levy higher fines if the organisation has not already provided guidance to all customers on how to verify communications. (Paragraph 34)
13.We concur with the ICO, that whilst the implementation of the EU GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences. We therefore support the ICO’s call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data. (Paragraph 37)
14.Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on: (i) Staff cyber-awareness training; (ii) When their security processes were last audited, by whom and to what standard(s); (iii) Whether they have an incident management plan in place and when it was last tested; (iv) What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine; (v) The number of enquiries they process from customers to verify authenticity of communications; (vi) The number of attacks of which they are aware and whether any were successful (i.e. actual breaches). Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened. Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place. (Paragraph 38)
15.There is an urgent need for a mechanism that is easily understood by consumers in order to maintain consumer confidence and inform consumer choices. We therefore support the ICO’s plan to create a privacy seal, to be launched later this year, which would be awarded to entities which demonstrate good privacy practice and high data protection compliance standards. It would be useful if the privacy seal could also incorporate a traffic light system to help consumers understand which companies are compliant, which are making progress, and which have yet to take the issue seriously. (Paragraph 39)
16.Nevertheless, the ICO should have additional powers of non-consensual audit, notably for health, local government and potentially for other sectors. (Paragraph 40)
17.The vulnerability of additional pooled data is an important concern that needs to be addressed urgently by the Government (Paragraph 41)
© Parliamentary copyright 2015
17 June 2016