On 21 October 2015, TalkTalk was the victim of a cyber-attack. The day after discovery of the attack, TalkTalk went public, notifying customers and the press regarding the breach, instantly becoming headline news. TalkTalk chose to notify the public before obtaining the forensic investigators' findings as to the nature and extent of the compromise and their lack of ability to specify who or what was affected caused much concern across TalkTalk's entire customer base and the public at large. The ICO launched an investigation into the attack and a parliamentary inquiry was set up on 3 November 2015, hearing oral evidence from TalkTalk's CEO, Dido Harding, and the (then) Information Commissioner, Christopher Graham.
On 17 June 2015, the Culture, Media and Sport Select Committee (the "Committee") issued its findings (the "report") on the incident. Whilst the TalkTalk breach was the trigger for the inquiry, the report recognises that cyber-crime is a significant, complex and growing problem, and that its reach is international and non-sector specific. Interestingly, the report notes that the ICO conducted an audit of TalkTalk in September 2014, which resulted in a number of suggestions being made, but did not give the ICO any reason to put the company on a "watch list" or issue enforcement action against the company. On that basis, it would appear that TalkTalk was not in a particularly bad state prior to the attack – and the lessons it has learned can assist all organisations to prepare for the eventuality of a breach.
The report makes a number of observations and recommendations on cyber security, which are set out below. The ICO has not yet finalised its own investigation into the breach, so watch this space.
As a telecommunications provider, TalkTalk had the obligation to notify the ICO of the breach within 24 hours of becoming aware of the facts, and to notify its customers without delay, if the breach is likely to adversely affect them.
In spite of the short timescales envisaged by the law, the report notes that the Board's decision to go public immediately was "unusual", given that they knew it would take at least several days, or weeks, to work out how many customers were affected. This seems to work on the assumption that a normal response would be to notify customers only once the extent and impact of the breach has been established. However, the report praises TalkTalk's "strong crisis management response", including the decision to appoint PWC to review TalkTalk's systems following the cyber-attack.
It is recognised that there is an inherent tension between the requirement to notify affected individuals of a cyber-attack, and the duty to notify the police, who may wish to keep information confidential to allow them to pursue the attackers. The Committee recommend that the ICO and Cyber Essentials publish guidance on best practice for notifying authorities and affected individuals, aiming to strike the best balance between protecting sensitive information for police investigations, whilst recognising the requirement to inform affected individuals of the breach.
The report goes on to note that there is not sufficient incentive for companies to notify the ICO of data breaches. The Committee consider that the ICO's current power to issue a £1,000 fine to telecoms or internet service providers that fail to notify a breach within the required 24 hours is not sufficiently harsh, and recommends that the ICO implements a new incentive structure. Surprisingly, the report fails to note that the existing ICO guidance on monetary penalties provides that failure to voluntarily notify the breach will result in higher penalties (and vice versa, as occurred in the Java Transport decision).
Board level responsibility
The inquiry also considered how the TalkTalk Board took responsibility for cyber security and data breaches. The Committee agreed with Dido Harding that ultimate responsibility for cyber security lies with the CEO, and that it is appropriate for the CEO to lead a crisis response in the event of a major attack. However, this alone is not enough. Day to day responsibility for cyber security within a company should be clearly allocated to a specific person, for example, the Chief Information Officer, with Board oversight. The report also recommends that, to ensure the issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security.
Whilst recognising that TalkTalk had run various business continuity exercises, including cyber-breach simulations, the Committee were critical of the fact that TalkTalk had not exercised and planned how to handle a cyber-attack of the scale suffered. The report recommends that the individual responsible for cyber-security should be fully supported in organising realistic incident management plans and exercises.
Increased fines for known vulnerabilities?
Whilst the Committee recognises that it has little concrete information on the technical vulnerabilities that led to the TalkTalk compromise (largely because the ICO has not yet issued its findings), reports have circulated that it was a product of a SQL attack. The Committee considered that, given the prevalence of such attacks, it is "no longer a defence, for a company using an e-commerce platform, to say that it was not aware of the risk of SQL injection attacks or similarly established and in some cases routine forms of cyber-penetration".
The Committee recommends that the ICO introduces a series of escalating fines, based on lack of attention to threats and vulnerabilities which have led to previous breaches, meaning that a data breach caused by a "routine" or repeated attack could trigger greater fines than where the attack is novel and unexpected.
Whilst this seems sensible, it is arguable that this already exists on an informal basis, as one of the factors that the ICO considers when imposing a monetary penalty is whether the organisation has done all it could to prevent an incident, and whether incident is one-off, or part of a series of ongoing breaches. If a company fails to implement basic levels of security in the face of known threats, the ICO is likely to take a harsher stance than a company that has done all it can to avoid a breach.
Compensation for data breaches
The ICO has made it clear that compensation for individuals is not within its remit. The only remedy is for affected individuals to bring legal proceedings against the company involved. The report notes that although the Committee heard from customers who had suffered scam phone calls as a result the breach (and previous third party breaches), they did not see any evidence of customers suffering direct financial loss as a result of the 2015 breach.
The issue of whether compensation for distress without evidence of financial loss is available under the Data Protection Act 1998 is currently under consideration by the Supreme Court, in the Google v Vidal Hall case.
The Committee's view is that it should be easier for consumers to claim compensation if they have been the victim of a data breach and recommend that the Law Society provides guidance to lawyers on assisting individuals to seek compensation, and that the ICO should assess if adequate redress is being provided by the small claims process. If the process is made easier, and damages are available for pure distress, we may see an increase in the amount of small claims made against a company that suffers a data breach.
A further issue that arose from the TalkTalk breach was the lack of clarity regarding the ability of customers to terminate their contracts as a result of the breach. The Committee recommends that companies clarify their consumer contracts to make clear whether financial loss as a result of a data breach is sufficient grounds to terminate a contract early.
Other conclusions and recommendations
The report makes various other conclusions and recommendations, including:
- That TalkTalk publishes "as much of the PWC investigation as commercially possible without delay"
- The Government starts a public awareness-raising campaign regarding online and telephone scams and all relevant companies should provide well-publicised guidance to customers on how they can verify that customer communications are genuine;
- That "security by design" is a core principle for new system and apps development and a mandatory part of developer training;
- All telecommunications companies and on-line retailers, and other cyber-vulnerable organisations, should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers;
- Cyber Essentials should be regularly updated to take account of more recent attacks, including the need for security, incident management and recovery plans and processes for responding to cyber-ransom demands;
- Support for the ICO’s call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data;
- Creation of a privacy seal by the ICO, which would be awarded to entities which demonstrate good privacy practice and high data protection compliance standards;
- Annual reporting to the ICO by organisations that hold large amounts of personal data on:
i. Staff cyber-awareness training;
ii. When their security processes were last audited, by whom and to what standard(s);
iii. Whether they have an incident management plan in place and when it was last tested;
iv. What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;
v. The number of enquiries they process from customers to verify authenticity of communications;
vi. The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).
A copy of the report is available here.