The Culture, Media and Sport Committee have launched an inquiry in the wake of the recent cyber-attack on the TalkTalk website on 21 October, which affected nearly 157,000 customers and 1,200,000 email addresses, names and phone numbers as well as details relating to thousands of bank accounts, credit and debit cards. The attack has led to the arrest of 4 individuals on suspicion of offences under the Computer Misuse Act 1990 ("CMA 1990"). It recently emerged that one of those arrested, a 15 year old boy in Northern Ireland, is suing three national newspapers for an alleged breach of privacy.
Under the Data Protection Act 1998 ("DPA 1998") 'personal data' is defined as that which relates to a living individual who can be identified either 1) from the data or 2) from the data and other information in the possession of, or likely to come into the possession of, the data controller. This broad definition potentially means that a large amount of the data held by companies will be the personal data of customers. Such personal data must be processed in accordance with the Data Protection Principles set out in the Act, which include, in the specific context of cyber-attacks, requirements that processing be fair and lawful and in accordance with the rights of data subjects, and that appropriate technical and organisational measures be taken against unauthorised or unlawful processing. It is clear that cyber-attacks could potentially give rise to legal implications under the Act for perpetrators, companies and individuals.
The Committee's inquiry is intended to explore the circumstances surrounding the cyber-attack and the wider implications for telecoms and internet service providers. They are seeking written submissions by 23 November on several matters, including:
- The robustness of measures that telecoms and internet service providers employ to protect their customers' personal data and the level of investment being made to ensure that their systems remain secure and anticipate future threats;
- The nature, role and importance of encryption in protecting personal data;
- The adequacy of the supervisory, regulatory and enforcement regimes currently in place;
- The adequacy of the redress mechanisms and compensatory measures for consumers; and
- Likely future trends in hacking, technology and security.
The launch of the inquiry is timely as recent months have seen an increasing number of corporate data protection incidents, with other household names such as Morrisons and British Gas among those affected.
The Morrisons data breach illustrates that companies must guard against both external and internal threats, as the perpetrator was an employee. On 17 July Andrew Skelton, 43, was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data. He had previously been a senior internal auditor at the company and was sentenced to 8 years imprisonment for the offences, which involved details of nearly 100,000 of the supermarket giant's staff being leaked onto various websites. The data included names, addresses and bank account details. While firms cannot always prevent data breaches by employees, a proactive and sensible approach to data protection is essential.
However, it would be wrong to think that that cyber-attacks are only directed at companies. An incident on 28 October led to the email addresses and account passwords of 2,200 British Gas customers being posted online. They were removed on the same day after the company discovered the leak in the course of routine checks. British Gas insisted that its secure data storage systems had not been affected and that payment data such as bank account or credit card details was encrypted. One theory is that the leak was the result of a 'phishing' attack. If this is the case it would mean that the data had been obtained by individuals concealing their identities, perhaps by masquerading as British Gas, in order to procure the details from customers themselves by deceiving them into a false position of trust. If this is the case then it demonstrates that the responsibility for protecting personal details cannot be confined to firms. Although they are obvious targets in light of the large volumes of data that they process, individuals must also take care not to inadvertently disclose their personal data to criminals.
The complex legal position in relation to data protection is made more difficult by the fact that the law is perpetually playing catch-up in the face of technological developments. Legislation in the data protection field is dated, with the DPA 1998 and CMA 1990 presenting obvious examples of statues drafted in the early days of mass computer ownership and before the onset of the internet age. The civil law position is likely to be modified in 2016 by the General Data Protection Regulation, which is still being formulated and will replace the 1995 Data Protection Directive upon which the DPA 1998 is based. Consumers are understandably concerned about their data in light of these incidents and it is to be hoped that the inquiry thoroughly reviews the current position. Cyber-attacks are likely to increase in frequency and become more technologically sophisticated, so it is essential that individuals, companies and other organisations are as well prepared as possible to face what is clearly a substantial threat.