Case Studies

Jail call for data thieves

by Mark Rowe

Those convicted of unlawfully obtaining and selling personal data should be jailed for up to two years, according to the Culture, Media and Sport Committee. The committee of MPs has also said the data protection watchdog the Information Commissioner’s Office (ICO) should also have a robust system of escalating fines at its disposal to sanction those who fail to report, prepare for or learn from data breaches.

The recent cyber-attack of TalkTalk’s website, where initially it was feared that the personal details, including bank details, of over four million customers had been hacked and made public, gave rise to questions and concern over the ways companies store and secure information about their customers. TalkTalk was already subject to two previous attacks this year.

Hence the MPs held an inquiry into the breach and the wider implications for telecoms and internet service providers. The MPs reported that the problem is significant, growing, and affects all sectors with an online platform or service. According to the report, 90 per cent of large organisations have reportedly experienced a security breach, and 25pc of companies experience a cyber-breach at least once a month.

The public sector fares no better: the latest research from the ICO shows that the health sector has the most data breaches, followed by local government. Furthermore, not all threats to cyber security or data protection are from external actors: over 40pc are caused by employees, contractors and third party suppliers, and half of these are accidental.

There needs to be a step change in consumer awareness of on-line and telephone scams, and the Government should initiate a public awareness-raising campaign, on a par with its campaign to promote smoke alarm testing, the committee said. The MPs also recommended that companies make it much easier to verify if communications, whether online or by telephone, are genuine. The ICO’s system of sanctions should include fines for companies that fail to do this. And it should be easier for victims of a data breach to claim compensation, said MPs.

For the 29-page report visit http://www.publications.parliament.uk.

Jesse Norman, Conservative MP for Hereford and chair of the committee, said: “Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent. As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.

“They should now publish as much of the PWC investigation as commercially possible without delay, and set out exactly how they will implement any necessary changes. Everyone must take the lessons from the Talk Talk breaches as a wake-up call – both in how they prepare to prevent cyber-attacks, and in how they deal with their consumers when those attacks occur.”

Comments

Geoff White, Underwriting Manager at Lloyd’s, commenting before the EU referendum outcome, said: “This MP report on data-breach fines should serve as a warning for those companies that aren’t aware of the EU’s upcoming General Data Protection Regulation (GDPR). Although £20m is a significant sum, 4 per cent of global revenue can be a much larger figure for certain companies and the potential sum of lost revenue and reputational damage can dwarf both of these numbers. Many companies have accepted that cyber-security is a case of putting in place containment and mitigation measures for when, not if, a cyber attack takes place. These solutions should work hand-in-hand with a comprehensive cyber-insurance policy to ensure businesses’ bottom lines are protected. Mandatory regulatory fines are a quick way of propelling this issue into the boardroom and forcing the c-level executives to consider contingency measures for when the worst happens.”

And at the trade body the British Retail Consortium, Hugo Rosemont, the BRC’s Crime and Security Policy Adviser said: “The committee’s report makes many good points which deserve to be taken seriously – both within the retail sector and across the UK economy more broadly. In particular, the report is right to point out the tensions that exist between informing the police about data breaches, and the duty to inform affected individuals. Achieving the correct balance will continue to represent a key issue for the BRC, its members, the ICO and the law enforcement community amongst others as the breach reporting aspects of the planned data protection regulations are transposed into UK law by 2018.”

He also stressed the importance of public-private cooperation in protecting cyber security and personal data online: “The report offers many useful recommendations but, when urging companies to stay ahead of criminals and hackers, is notably quiet in considering how the UK should set about strengthening cooperation between government and the private sector on cyber security issues. It is evident that any strategy to tackle cyber-crime must be nimble and also involve strong cooperation between industry and the authorities – neither government nor industry can achieve this on their own. Whilst the recommendations bearing on industry’s responsibilities advocated by the Committee are a potentially crucial part of the response, they would only ever comprise one part of the solution.”

Darren Anstee, Chief Security Technologist at Arbor Networks, said: “The headline from this report is the call for up to £20m fines for companies if they lose customer personal data, however this has to be taken in context with the rest of the recommendations. Simply fining people for losing data could be seen as a disincentive to disclose breaches to customers, law enforcement and the ICO. However, the report also has multiple other recommendations around providing organisations with best-practice for disclosure, and incentives for them to adopt this best-practice. This is important as it will allow organisations to balance their priorities with those of their customers and law enforcement more easily.

“Investment in security solutions continues to grow, and in many cases we are following the traditional paradigm of investing in the latest technology to block the latest crop of threats. This report shines a light on the fact that businesses need to make sure our investments are effective in reducing risk. Increasingly we need to really understand what we need to protect inside our organisations and from whom, and then align our defensive processes accordingly around the risks to those key assets – rather than simply trying to block everything. Businesses need to invest in technologies that support the workflows needed by our operations teams for them to be effective at reducing the risk of an embarrassing and costly breach.”

Related News

  • Case Studies

    King’s Cross cams

    by Mark Rowe

    NW Systems Group’s Streamdays 2 and RemoteManager video streaming and video monitoring and recording services have been selected by property developer Argent…

  • Case Studies

    Police report summed up

    by Mark Rowe

    Her Majesty’s Inspectorate of Constabulary’s PEEL assessment on the effectiveness, efficiency and legitimacy of police covers everything from dealing with anti-social behaviour…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing