The UK parliament has issued a report on cybersecurity and the protection of personal data online, which finds that companies should do more to improve their defenses and to respond to these attacks. Companies should not only expect to invest more, but also to face tougher sanctions, including the risk that some of their employees go to jail if found guilty.
The TalkTalk case suggests that customers currently attach less importance to privacy than expected
The report on cybersecurity issued on June 17, 2016 by the UK Parliament's Culture, Media, and Sport Committee shows how serious policy-makers are getting about data protection. Although this report was triggered by the cyber-attack that affected TalkTalk and its customers in October 2015, the problem is much wider and more common because it relates to almost every online company. As the report finds, 90% of large organizations have reportedly experienced a security breach, and 25% of companies experience a cyber-breach at least once a month.
The report also suggests that fines for data breaches should be much higher than the current levels, and that penalties such as custodial detention for individuals who unlawfully obtain and sell personal data should be imposed. This shows that the General Data Protection Regulation (GDPR) recently approved by the EU Parliament, which will come into force in 2018, goes in the right direction in this respect. The GDPR considerably raises the maximum level of fines that can be imposed, bringing it up to €20m ($22.7m) or 4% of a company's annual worldwide turnover, whichever is higher. As noted in the committee's report, sanctions such as these are much more likely to be a deterrent for large organizations, compared to the current maximum fine of £500,000 ($733,969) that the Information Commissioner's Office (ICO) can impose. Also, given that the GDPR leaves member states with the freedom to introduce additional penalties, policy-makers will have the power to introduce measures such as custodial detention without clashing with EU regulation. Strikingly, the report suggests that companies' CEOs should have part of their executive compensation linked to effective cybersecurity, in a way to be decided by each company's board. It is an aspect on which lawmakers should look to introduce more detailed provisions, because generic suggestions could fail to have a meaningful impact.
Similarly, lawmakers should consider intervening in the legislation that allows customers to choose early termination of a contract if they have incurred financial loss due to a data breach. The report notes that telecoms companies do not make this aspect sufficiently clear; however, TalkTalk did offer its customers the option to terminate the contract at no penalty, or to get a free upgrade. To this end, it is noteworthy that the vast majority (about 500,000) of the customers affected by the breach opted for the upgrade, whereas only 100,000 customers decided to leave the company. This should lead policy-makers to reflect on how users are actually perceiving privacy matters. Despite the responses provided in surveys, which tend to suggest customers attach the utmost importance to data protection, many of the customers do not consider it a sufficient reason to do without an online service. In turn, this will inform regulators' ability to impose penalties and fines in a proportionate way when they identify data breaches.
The committee also notes how important it will be to allocate more resources to dealing with cyber-attacks and data breaches. On the one hand, it notes the ICO's resources do not appear to be sufficient to deal with these issues at present. On the other hand, it urges companies to train their staff regularly not only to prevent cyber-attacks, but also to respond to them because it is likely that cyber-attacks will happen despite increased investment in cybersecurity. All this, together with the whole set of provisions included in the GDPR, should encourage companies to invest more resources and time in the parts of their business that relate to data security for the years to come.
Data Protection Tracker: 4Q15, TE0007-000955 (December 2015)
Luca Schiavoni, Senior Analyst, Regulation