Following the cyber-attack that affected the UK Internet service provider (ISP) TalkTalk in October 2015, the UK Information Commissioner's Office (ICO) issued a fine of £400,000 ($491,398) to the company in October 2016. The fine could have been considerably higher if the new EU rules on data protection, the General Data Protection Regulation (GDPR), had already been in force.
There is no doubt that ISPs will be learning lessons from this incident and improving their security systems to minimize the risk of such attacks. However, TalkTalk's case also shows that customers can decide to stick with their provider and get a better deal, rather than making privacy a matter of principle.
Operators will face far higher fines under the GDPR, but can find ways to minimize customer loss
The ICO's decision to fine TalkTalk by £400,000 on October 5, 2016 hardly came as a surprise. The data breach, which occurred almost a year before in October 2015, made international media headlines for some time and put the privacy and data security of ISPs' customers under the spotlight in an almost unprecedented way. As the investigation found that TalkTalk had failed to put appropriate safeguards in place to secure its websites, such a fine is something the company should have seen coming. It is the largest ever fine imposed by the ICO, which could have imposed a fine of up to £500,000 ($614,597) under its current powers.
The fine could have been even bigger if the EU's GDPR had been already in force. The new rules, which will become valid in December 2017, will allow a data protection authority to issue penalties for up to the equivalent of €10m (£9.01m, $10.98m), or 2% of a company's global annual turnover (whichever is higher) for a misconduct such as the one that TalkTalk has been found responsible for.
Although TalkTalk should have taken more proactive steps to improve the security of its systems, cyber-attacks can still occur for organizations that give top priority to the security of their systems. In fact, customers appear to behave as if these occurrences are inevitable from time to time. When TalkTalk came under fire in the wake of the data breach, it offered its customers a free upgrade on the package they were subscribed to. Most customers opted for the free upgrade (about 489,000 customers), whereas the churn after the attack was at its lowest ever for the ISP (1.3% of the ISP's customer base). While the effort made by TalkTalk to rebuild its relationship with customers has played a role, these figures also indicate that users are often more focused on getting a better deal, rather than on privacy issues.
TalkTalk's case shows that it is possible to recover from a data breach, but this will of course come at a cost. However, the upcoming GDPR will make this recovery much more difficult, especially if regulators use their power to impose the heavy fines. If they want to avoid the risk of being hit by significant penalties, security of networks and systems has to become a priority for ISPs and any other organization handling large volumes of personal data.
The EU's General Data Protection Regulation, TE0007-001037 (August 2016)
Luca Schiavoni, Senior Analyst, Regulation