TalkTalk Data Breach Prompts Renewed Calls for Cyber-Crime Reform by Sarah Cotterill
Last week’s news of a cyber-attack on UK telco TalkTalk is a timely reminder that cyber-crime has become the biggest threat to business, government and personal data. Incidents of company data breaches are becoming increasingly prevalent with hacking tools now available to even the most basic cyber criminal. Indeed, the Department of Business, Innovation & Skills’ 2015 Information Security Breaches Survey published last June reports that in 2014, 90% of large and 74% of small organisations suffered a data breach.
Easily one of the most alarming aspects of cyber-crime is that organisations remain largely in the dark when it comes to preventing the crime from occurring. The UK Data Protection Act 1998 requires that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”, however the act fails to define any mandatory security requirements for organisations, such as encryption. From a practical perspective it is expensive and time-consuming for every company to stay abreast of emerging hacking technology and to encrypt all of the data they hold. Information on TalkTalk’s Help webpage maintains that the telco has not breached the Data Protection Act as “this is a criminal attack” and confirms that “not all of the data was encrypted.”
With the Metropolitan Police Cyber Crime Unit, the National Crime Agency and Information Commissioner’s Office (ICO) all currently investigating TalkTalk’s data breach, there are renewed public calls for various changes to how the UK tackles cyber-crime, including requests for the government to centralise the responsibility for cyber security to one cabinet minister. Additionally, an increase to the maximum penalty of £500,000 that the ICO can currently impose on companies that allow data protection breaches has been suggested as well as a general review by the Financial Conduct Authority to determine what can be done to prevent security breaches in the future.
Obviously the key to preventing a cyber attack is up-to-date security measures and data encryption by the organisation backed up by effective government regulation and police enforcement. Following news of the data breach last week, Oliver Parry, a senior corporate governance adviser at the Institute of Directors has said “The truth is we don’t really know how to deal with these as we haven’t had a cyber breach on this scale in the United Kingdom…” and urged “the government and companies to work together to make us the world leader in countering the scourge of cyber crime.” As well, the former Home Office Minister, Hazel Blears has said this event should prompt a debate about our expectations of “companies who are holding massive amounts of public data to be able to show that they are putting in place the necessary security precautions…[and] whether there needs to be a better regulatory framework.” Legislative guidance and minimum mandatory security requirements appear essential to protect the data that organisations hold about their individual consumers.
Unfortunately, as the situation currently stands, individual consumers are at the mercy of any organisation that requests personal data to use their product or service. The responsibility for protection of TalkTalk’s 4.2 million customers’ personal data following this breach was placed back onto each individual consumer with TalkTalk offering the only advice currently available to them: for customers to change their account passwords and beware of potential scam emails or phone calls requesting personal information.