Cyber Security: Protection of Personal Data Online: Information Commissioner’s Response to the Committee’s First Report of Session 2016–17

Fourth Special Report

The Culture, Media and Sport Committee published its First Report of Session 2016–17, on Cyber Security: Protection of Personal Data Online, HC 148 on 20 June 2016. The Information Commissioner’s response was received on 12 October 2016 and is appended to this report.

Appendix: Information Commissioner’s response

1.The Information Commissioner welcomes the Culture, Media and Sport Committee (“the Committee”) report into cyber security and the protection of personal data online. Ensuring organisations have appropriate security in place to protect the personal data they hold from theft, loss or accidental destruction is a key principle of data protection law, serving to ensure the public can transact safely and access public services with confidence.

2.The Committee heard evidence prior to the United Kingdom voting to leave the European Union. The report makes a number of references to the EU General Data Protection Regulation (“the GDPR”) which is due to come into force on 25 May 2018. The Information Commissioner has been clear that is important that the uncertainty about implementation of GDPR is resolved as soon as possible. She is in active discussions with Government, making the case for a progressive data protection regime which protects individuals from harm and supports the growth of a strong digital economy.

3.The Information Commissioner wishes to draw the Committee’s attention to those aspects of the GDPR which will help to protect personal data online, namely mandatory security breach reporting, embedding a risk-based approach within organisations through the use of data protection impact assessments, data protection by design, a focus on industry codes of practice and a stronger enforcement regime. Overall, the GDPR provides an enhanced regime to make organisations accountable for their use of personal data.

4.Recommendation 1

We await the outcome of the ICO investigation into the TalkTalk cyber-attack and data breach, and note the comment from the ICO that the time taken for the investigation is partly due to the international dimension to the investigation. We accept this, but regret that, some eight months after the breach, customers are no closer to a clear understanding of what happened. Although the Information Commissioner did not complain about lack of capacity, it seems evident that 30 enforcement staff are not enough to handle 1,000 cases and almost 200,000 public concerns a year, even if the vast majority of cases are found not to warrant detailed investigation. We suggest that the new Information Commissioner make an assessment of resources and priorities as soon as possible (Paragraph 11).

5.The Information Commissioner understands TalkTalk customers, and the Committee, want a clear understanding of what happened in this particular case. The outcome of the investigation was announced on 5 October—TalkTalk have been issued with a monetary penalty of £400,000 for a serious contravention of the Data Protection Act. The investigation concluded that an attack on the company in October 2015 could have been prevented if TalkTalk had taken basic steps to protect customers’ information. The Information Commissioner’s press release stated:

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

She went on to say: “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting. Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”1

6.As an organisation committed to transparency the ICO publishes a wide range of information about concerns reported to us by the public, self-reported security breaches and the outcome of our enforcement action.

7.In terms of resources, the statement in paragraph 11 of the report to the effect that the ICO has only 30 enforcement staff handling 1,000 cases and 200,000 concerns, does not accurately reflect the resources available to the Commissioner. The ICO has a number of operational teams investigating and addressing a wide range of information rights concerns. As of 31 March 2016 the ICO had 442 permanent staff (409 full-time equivalents), with ~60 of those working within our enforcement department. In order to further bolster the ICO’s capabilities to address cybersecurity incidents a new technical investigations team is currently being recruited.

8.The Information Commissioner has a wide variety of regulatory tools she may draw upon to respond to the threats presented in an effective and proportionate way. These tools range from providing advice, carrying out audits and producing guidance through to issuing enforcement notices, levying fines and prosecuting offences where these are provided for. The new Information Commissioner, Elizabeth Denham, took up her post in July 2016—one of her first tasks has been to make an assessment of resources and priorities at the ICO. The Information Commissioner will make further changes to organisation and resourcing in priority areas if this is required and is confident that further resources can be channelled to support the ICO’s investigations and guidance into cyber security.

9.Recommendation 5

The ICO should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches. A data breach facilitated by a ‘plain vanilla’ SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine. We were also surprised that there is no requirement to make security a major consideration in the design of new IT systems and apps. We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary. (Paragraph 18)

10.We recognise the importance of our fining powers in helping to create a regulatory environment that encourages organisations to adopt good practices whilst deterring poor ones. The Information Commissioner is already obliged under the Regulators’ Code2 and through her data protection regulatory action policy3 to adopt a proportionate, risk-based approach when deciding whether to take enforcement action and on what terms. Further, Section 55C of the Data Protection Act creates a statutory obligation for the Commissioner to prepare and issue guidance on her power to issue a monetary penalty notice, addressing in particular the circumstances in which it will be appropriate to issue a penalty and how the amount of the penalty will be determined.

11.An organisation will generally not be liable for a fine in the event they have taken reasonable steps to prevent the contravention in question. At paragraph 32 of our guidance4 we explain the circumstances in which we are more likely to consider whether reasonable steps have been taken. We emphasise the importance of appropriate polices, practices and procedures; the need for good governance with clear lines of responsibility; the use of risk assessment; and the importance of following guidance and codes of practice. Our guidance also describes the matters the Information Commissioner will take into account when determining the amount of a monetary penalty, and this includes whether the contravention was a “one-off” or part of a series of similar contraventions.

12.Looking ahead to the GDPR, it is a requirement under Article 83 for any fines levied to be “effective, proportionate and dissuasive” taking into account the circumstances of the individual case. The Regulation sets out a number of factors the ICO must have regard to when fining an organisation, namely: the nature, gravity and duration of the infringement; whether the infringement was intentional or negligent; any action taken to mitigate the damage individuals suffer; the degree of responsibility taking into account the measures that have been implemented; whether there have been any previous infringements; the degree of cooperation with the ICO; the categories of data affected; the manner in which the infringement became known (including whether the ICO had been notified); whether corrective measures previously ordered have been complied with; adherence to approved codes of conduct or certification mechanisms; and any other aggravating or mitigating factor, such as financial benefits gained or losses avoided.

13.The ICO has long-advocated that organisations adopt privacy by design principles as a means of identifying and addressing data protection and privacy risks at an early stage. A requirement to consider data protection by design is included in the GDPR. Our code of practice on conducting privacy impact assessments5 provides practical advice and guidance for organisations.

14.We have also published a wide range of advice and guidance covering relevant issues such as a practical guide to IT security for SMEs6, privacy in mobile apps for developers,7 cloud computing,8 IT asset disposal,9 bring your own device (BYOD),10 learning from the security mistakes of others11 and encryption.12

15.The importance of training as a component of good security and data protection governance is recognised—training and awareness are core components of the audits the ICO undertakes. The Information Commissioner is currently running a project to investigate how data protection can be embedded into the higher education curriculum, including IT and computer science courses. The aim of the project will be to produce teaching materials to be used in these courses, with the aim of equipping the future workforce with better knowledge.

16.Recommendation 8

We believe it should be easier for consumers to claim compensation if they have been the victim of a data breach. There are a number of entities (for example the Citizens Advice Bureau, ICO and police victim support units) that could in principle provide further advice to consumers on seeking redress through the small claims process. It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach. The ICO should assess if adequate redress is being provided by the small claims process. (Paragraph 25)

17.The Information Commissioner understands that victims of data breaches want, and should be entitled to, appropriate redress in the event that they suffer detriment as a result of a security breach. We recognise that appropriate redress does not necessarily mean financial compensation, but could take other forms such as an ability to withdraw from an ongoing contractual arrangement.

18.Our helpline currently provides advice to the public on their rights under the Data Protection Act, and we publish guidance on claiming compensation.13 We are supportive of other organisations providing the practical advice and support that individuals may need in order to successfully pursue a claim through the civil courts. The Information Commissioner is willing to work with other organisations in developing their guidance.

19.The Committee may wish to note Article 80 of the GDPR will create provision for not-for-profit organisations active in the field of protecting individuals’ data protection rights to lodge complaints or seek judicial remedies on an individual’s behalf. This provision has the potential to help address any asymmetry of power that may exist between an individual and an organisation.

20.The ICO does not have jurisdiction to award compensation under the Data Protection Act, or the GDPR. Individuals can pursue their claim through the Courts. In the Information Commissioner’s view it would not be appropriate for her to conduct a review of the redress provided by the small claims process but she is supportive of such a review taking place and would be willing to provide input into a government review.

21.Recommendation 11

The ICO and Cyber Essentials should publish further guidance on informing the relevant authorities and include best-practice examples of how to inform in an appropriate way those affected, in order to strike the best possible balance between protecting information that is sensitive to police investigations, whilst recognising consumer/customer requirements to be made aware of a breach that may affect them. This is particularly relevant as the EU GDPR will extend the obligation to inform consumers to all companies and organisation, not just telecommunications companies and ISPs. (Paragraph 33)

22.We have produced guidance for organisations on notifying security breaches14 and data security breach management.15 Our guidance explains when a breach should be notified, and the process for doing so. Currently we recommend that a breach is made public where it is clearly in the interests of the individuals concerned, or if there is a strong public interest argument to do so. The requirement under Article 34 of GDPR will be for organisations to communicate the breach to the affected individuals without undue delay where that breach is “likely to result in high risk to the rights and freedoms of natural persons”. We are actively updating all of our existing advice and guidance to reflect the requirements of GDPR.

23.We recognise that when a data breach occurs there may be a number of difficult decisions an organisation needs to make in pressured circumstances. It is important that organisations undertake contingency planning in order to think through what their response will be in the event they face having to deal with a breach. We are working closely with government officials and law enforcement to ensure organisations have a range of good quality, practical advice and guidance they can refer to.

24.Recommendation 12

The ICO should introduce an incentive structure that inhibits delays, for example escalating fines for delays in reporting a breach. At present the ICO can only issue a fixed fine of £1,000 for failure to report a data breach. There should also be scope to levy higher fines if the organisation has not already provided guidance to all customers on how to verify communications. (Paragraph 34)

25.As set out at paragraphs 10–11 above, the Information Commissioner takes into account a wide range of factors when deciding whether to impose a penalty and the amount. At paragraph 56 of our monetary penalties guidance we state that a relevant factor includes “what steps, if any, the person had taken once they became aware of the contravention (for example, concealing it, voluntarily reporting it to the Commissioner, or not taking action once the Commissioner or another body had identified the contravention).”

26.It should be noted that our ability to issue a £1,000 fixed-penalty for failing to report a breach within 24 hours applies only in relation to communication service providers under the statutory regime set out in the Privacy and Electronic Communications Regulations (PECR). This reporting requirement derives from the ePrivacy Directive16 which is currently being reviewed by the European Commission.

27.Under GDPR the manner in which the infringement became known is specifically identified as a factor the ICO should have regard to when issuing a fine. Article 33 will require notification without undue delay and, where feasible, within 72 hours of it being discovered. Organisations will be required to explain the reasons for any delay if they fail to report the breach within 72 hours.

28.Recommendation 13

We concur with the ICO, that whilst the implementation of the EU GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences. We therefore support the ICO’s call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data. (Paragraph 37)

29.We welcome the Committee’s recommendation that Sections 77 and 78 of the Criminal Justice and Immigration Act be brought into force—we have long called for this stronger deterrent to be in place. Numerous parliamentary committees have also recommended their commencement—based on a pressing need to strengthen the existing enforcement regime. These include the Joint Committee on the Draft Communications Data Bill, both the House of Commons Justice and Home Affairs Committees. Lord Justice Leveson also recommended this in his report on the culture, practices and ethics of the press.

30.The need for the introduction of custodial sentences as a means to reflect the seriousness of the offence is being brought into increasing focus as a result of the recent Advocate General’s opinion in case C-698/15 Secretary of State for Home Department v Tom Watson and Others. In the event that the CJEU follows the opinion of the Advocate General, the Information Commissioner’s ability to access communications data will be compromised by virtue of the fact that the offence of unlawfully obtaining and selling personal data does not currently meet the serious crime threshold. The Information Commissioner has written to the Minister of State for Digital and Culture to make him aware of this fact.

31.Recommendation 14

Organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:

i)staff cyber-awareness training;

ii)when their security processes were last audited, by whom and to what standards;

iii)whether they have an incident management plan in place and when it was last tested;

iv)what guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;

v)the number of attacks of which they are aware and whether any were successful (ie actual breaches).

Such reporting should be designed to help ensure more proactive monitoring of processes (both people and cyber) at Board level, rather than reporting breaches after they have happened. Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place.

32.Organisations should be accountable to regulators—and the public—for the steps taken to ensure good cybersecurity and the protection of personal data. The Information Commissioner is supportive of a framework that creates a requirement for organisations to be accountability for their data protection governance however the creation of new reporting requirements would be a matter for government to consider. In the Commissioner’s view there may be greater merit in requiring organisations to keep this documentation, transparently publish some of it themselves and make it available to the regulator when required rather than annual reporting to the ICO.

33.Good corporate governance, with appropriate reporting lines to the Board, is an important factor in ensuring there is appropriate understanding of the risks and investment in cybersecurity. Article 39 of GDPR requires certain organisations to appoint a data protection officer; that individual will need to be sufficiently independent and knowledgeable, and be required to directly report to the highest management level.

34.In terms of the ICO’s commitment to transparency, we publish complaints data on our website by reference to the organisation complained about, and this includes details of cybersecurity concerns and reports. We also publish summaries of the audits undertaken by our Good Practice department.

35.Recommendation 15

There is an urgent need for a mechanism that is easily understood by consumers in order to maintain consumer confidence and inform consumer choices. We therefore support the ICO’s plan to create a privacy seal, to be launched later this year, which would be awarded to entities which demonstrate good privacy practice and high data protection compliance standards. It would be useful if the privacy seal could also incorporate a traffic light system to help consumers understand which companies are compliant, which are making progress, and which have yet to take the issue seriously. (Paragraph 39)

36.Privacy seals are a means to encourage organisations to achieve a high standard of compliance. By its nature, obtaining a privacy seal would be a voluntary undertaking for the organisation concerned with the incentive to demonstrate, through an external assessment, its own high standards in this area. In our view it would be unrealistic to expect that organisations failing to achieve a ‘green’ rating would choose to voluntarily publicise this fact. A privacy seal should create a market for higher standards in data protection, ultimately allowing consumers to make a choice of service on the basis that an organisation does have a seal.

37.Work to introduce a privacy seal scheme is ongoing. We need to ensure that any scheme adds sufficient value to organisations and the protection of personal data, whilst being a commercially viable proposition for the scheme provider. We are looking at the focus of schemes, and cybersecurity is one area we will be paying particular attention to. A further announcement will be made by the Information Commissioner later in the year.

38.Recommendation 16

Nevertheless, the ICO should have additional powers of non-consensual audit, notably for health, local government and potentially for other sectors. (Paragraph 40)

39.We view audit powers as an important part of our regulatory toolkit, and an effective way to encourage organisations to proactively identify and deal with data protection and security risks. We would welcome the introduction of non-consensual audit powers for all organisations, regardless of the sector or industry concerned rather than the current piecemeal approach (the Information Commissioner currently has the power to audit central government and public sector health bodies). If we had this broad power we would still ensure that our resources are directed towards those organisations or sectors that present the greatest risks and where use of audit powers will have the greatest impact in protecting personal data, in line with good regulatory practice.

16 Directive 2002/58/EC (as amended)

20 October 2016