skip to main content
Close Icon

In order to deliver a personalized, responsive service and to improve the site, we remember and store information about how you use it. This is done using simple text files called cookies which sit on your computer. By continuing to use this site and access its features, you are consenting to our use of cookies. To find out more about the way Informa uses cookies please go to our Cookie Policy page.

Global Search Configuration

Ovum view

Summary

Following the cyber-attack that affected the UK Internet service provider (ISP) TalkTalk in October 2015, the UK Information Commissioner's Office (ICO) issued a fine of £400,000 ($491,398) to the company in October 2016. The fine could have been considerably higher if the new EU rules on data protection, the General Data Protection Regulation (GDPR), had already been in force.

There is no doubt that ISPs will be learning lessons from this incident and improving their security systems to minimize the risk of such attacks. However, TalkTalk's case also shows that customers can decide to stick with their provider and get a better deal, rather than making privacy a matter of principle.

Operators will face far higher fines under the GDPR, but can find ways to minimize customer loss

The ICO's decision to fine TalkTalk by £400,000 on October 5, 2016 hardly came as a surprise. The data breach, which occurred almost a year before in October 2015, made international media headlines for some time and put the privacy and data security of ISPs' customers under the spotlight in an almost unprecedented way. As the investigation found that TalkTalk had failed to put appropriate safeguards in place to secure its websites, such a fine is something the company should have seen coming. It is the largest ever fine imposed by the ICO, which could have imposed a fine of up to £500,000 ($614,597) under its current powers.

The fine could have been even bigger if the EU's GDPR had been already in force. The new rules, which will become valid in December 2017, will allow a data protection authority to issue penalties for up to the equivalent of €10m (£9.01m, $10.98m), or 2% of a company's global annual turnover (whichever is higher) for a misconduct such as the one that TalkTalk has been found responsible for.

Although TalkTalk should have taken more proactive steps to improve the security of its systems, cyber-attacks can still occur for organizations that give top priority to the security of their systems. In fact, customers appear to behave as if these occurrences are inevitable from time to time. When TalkTalk came under fire in the wake of the data breach, it offered its customers a free upgrade on the package they were subscribed to. Most customers opted for the free upgrade (about 489,000 customers), whereas the churn after the attack was at its lowest ever for the ISP (1.3% of the ISP's customer base). While the effort made by TalkTalk to rebuild its relationship with customers has played a role, these figures also indicate that users are often more focused on getting a better deal, rather than on privacy issues.

TalkTalk's case shows that it is possible to recover from a data breach, but this will of course come at a cost. However, the upcoming GDPR will make this recovery much more difficult, especially if regulators use their power to impose the heavy fines. If they want to avoid the risk of being hit by significant penalties, security of networks and systems has to become a priority for ISPs and any other organization handling large volumes of personal data.

Appendix

Further reading

The EU's General Data Protection Regulation, TE0007-001037 (August 2016)

Author

Luca Schiavoni, Senior Analyst, Regulation

luca.schiavoni@ovum.com

Have any questions? Speak to a Specialist

Europe, Middle East & Africa team - +44 (0) 207 017 7700


Asia-Pacific team - +61 (0)3 960 16700

US team - +1 646 957 8878

+44 (0) 207 551 9047 - Operational from 09.00 - 17.00 UK time

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - +44 (0) 207 017 7760 or email us at pr@ovum.com

Contact marketing - marketingdepartment@ovum.com

Already an Ovum client? Login to the Knowledge Center now