News broke last week that telecoms and internet access provider, Talk Talk, had suffered a major Cyber attack potentially putting the data of millions of customers at risk.
When an organisation is hacked it puts them in a very difficult position. They need to secure their systems and data and find out the extent of the problem. They also need to preserve what is effectively a crime scene. This is not easy.
At the same time, the organisation is likely to need to let those affected know what has happened so that they can take measures to protect themselves. They also need to inform regulators like the Information Commissioner. Though most organisations are not obliged to tell the ICO that a data breach has occurred, it is almost inevitable that the ICO will find out. In a serious data breach like Talk Talk that is inevitable. The ICO can be very helpful in any event and will not interfere in the investigation.
Looking at this from the outside, Talk Talk appears to have approached things in the right way once they discovered the breach. They acted quickly to inform customers even though they did not know the full extent of the problem. They assumed it might be worse than it was, which is often a good approach to adopt in a crisis. They put up senior people to talk about it and explain what happens next.
In other words, they seem to have had a plan about how to deal with this. It is an important lesson to learn. Whatever steps organisations take, they will never be 100% secure from such attacks (and should not claim that they are as this will increase their risk of facing legal action). It is about being prepared to respond as soon as possible if the worst happens.
Now, attention is turning to questions of compensation. Essentially, the legal standard that organisations have to reach is similar to that in negligence. Have they taken all reasonably necessary steps to prevent an attack and, once an attack has occurred, have they acted reasonably in responding to it? The prospects of claims for compensation has increased recently as a result of a Court of Appeal ruling earlier this year which makes it much easier to claim damages for distress arising out of breaches of data protection laws. That case is currently on appeal to the Supreme Court and a ruling is awaited.
However, to claim compensation it is still necessary to show that the organisation failed to take appropriate protective measures on this “negligence” standard. The message is be prepared. Take all reasonable steps that you can. Do not over-promise on data security – you will never be 100% secure. Have a plan in place if things go wrong.