skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Ovum view

Summary

The UK parliament has issued a report on cybersecurity and the protection of personal data online, which finds that companies should do more to improve their defenses and to respond to these attacks. Companies should not only expect to invest more, but also to face tougher sanctions, including the risk that some of their employees go to jail if found guilty.

The TalkTalk case suggests that customers currently attach less importance to privacy than expected

The report on cybersecurity issued on June 17, 2016 by the UK Parliament's Culture, Media, and Sport Committee shows how serious policy-makers are getting about data protection. Although this report was triggered by the cyber-attack that affected TalkTalk and its customers in October 2015, the problem is much wider and more common because it relates to almost every online company. As the report finds, 90% of large organizations have reportedly experienced a security breach, and 25% of companies experience a cyber-breach at least once a month.

The report also suggests that fines for data breaches should be much higher than the current levels, and that penalties such as custodial detention for individuals who unlawfully obtain and sell personal data should be imposed. This shows that the General Data Protection Regulation (GDPR) recently approved by the EU Parliament, which will come into force in 2018, goes in the right direction in this respect. The GDPR considerably raises the maximum level of fines that can be imposed, bringing it up to €20m ($22.7m) or 4% of a company's annual worldwide turnover, whichever is higher. As noted in the committee's report, sanctions such as these are much more likely to be a deterrent for large organizations, compared to the current maximum fine of £500,000 ($733,969) that the Information Commissioner's Office (ICO) can impose. Also, given that the GDPR leaves member states with the freedom to introduce additional penalties, policy-makers will have the power to introduce measures such as custodial detention without clashing with EU regulation. Strikingly, the report suggests that companies' CEOs should have part of their executive compensation linked to effective cybersecurity, in a way to be decided by each company's board. It is an aspect on which lawmakers should look to introduce more detailed provisions, because generic suggestions could fail to have a meaningful impact.

Similarly, lawmakers should consider intervening in the legislation that allows customers to choose early termination of a contract if they have incurred financial loss due to a data breach. The report notes that telecoms companies do not make this aspect sufficiently clear; however, TalkTalk did offer its customers the option to terminate the contract at no penalty, or to get a free upgrade. To this end, it is noteworthy that the vast majority (about 500,000) of the customers affected by the breach opted for the upgrade, whereas only 100,000 customers decided to leave the company. This should lead policy-makers to reflect on how users are actually perceiving privacy matters. Despite the responses provided in surveys, which tend to suggest customers attach the utmost importance to data protection, many of the customers do not consider it a sufficient reason to do without an online service. In turn, this will inform regulators' ability to impose penalties and fines in a proportionate way when they identify data breaches.

The committee also notes how important it will be to allocate more resources to dealing with cyber-attacks and data breaches. On the one hand, it notes the ICO's resources do not appear to be sufficient to deal with these issues at present. On the other hand, it urges companies to train their staff regularly not only to prevent cyber-attacks, but also to respond to them because it is likely that cyber-attacks will happen despite increased investment in cybersecurity. All this, together with the whole set of provisions included in the GDPR, should encourage companies to invest more resources and time in the parts of their business that relate to data security for the years to come.

Appendix

Further reading

Data Protection Tracker: 4Q15, TE0007-000955 (December 2015)

Author

Luca Schiavoni, Senior Analyst, Regulation

luca.schiavoni@ovum.com

Recommended Articles

  • Service Provider Markets, Consumer & Entertainment Services,...

    MWC 2018 Highlights

    By Ronan De Renesse 27 Feb 2018

    Over 20 of our senior Ovum analysts and consultants attended this year’s Mobile World Congress in Barcelona at the end of February. In between meetings, briefings and presentations, our analyst team were blogging and tweeting about key developments, trends and rumors. Have a look through our daily MWC 2018 Highlights to find out what happened.

    Topics 5G AI IoT Cloud Payments SDN/NFV Smart home

  • Internet of Things

    IoT Viewpoints 2018

    IoT Viewpoints explore the IoT opportunity in 2018 and beyond. Download our latest e-book to get our newest collection of thought leadership articles on the emerging IoT trends, technologies and opportunities.

    Topics IoT

  • Consumer & Entertainment Services

    US pay TV: Is it facing an existential threat?

    By Adam Thomas 28 Mar 2018

    With US pay TV having endured the worst year in its history, thoughts have inevitably turned to the future. The likelihood remains that the immediate future will remain highly uncomfortable for everyone except the scaled multinational digital platforms.

;

Have any questions? Speak to a Specialist

Europe, Middle East & Africa team - +44 (0) 207 017 7700


Asia-Pacific team - +61 (0)3 960 16700

US team - +1 646 957 8878

Email us at ClientServices@ovum.com

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Call us at +44 788 597 5160 or email us at pr@ovum.com

Contact marketing - 
marketingdepartment@ovum.com

Already an Ovum client? Login to the Knowledge Center now