The Department of Culture, Media and Sport Committee at the House of Commons has published its First Report of Session for 2016-17 (the “Report“). The Committee was adjourned until 28 June, so the Second Report of Session should be published shortly after it has reconvened.
For those not familiar with the Committee and its enquiry, the current work was triggered by the TalkTalk attack in October 2015. Investigating that attack and its aftermath falls within the remit of the Committee, but it is also undertaking a wider review of cyber-crime and the approach taken by the Government, the Information Commissioner’s Office and industry and business to information security. The Report contains a number of proposals and suggestions, some of which are not new or surprising, but others are more controversial and would potentially be difficult to implement. This article highlights a few of the more significant proposals.
As a preliminary point to note, the outcome of the EU referendum means that there is necessarily some crystal-ball gazing to be done as to where UK data protection law will go now that, assuming the Article 50 Notice is served as expected, the GDPR will not be implemented in the UK. For a more detailed consideration of this, please see the article by Vin Bange, our UK head of data protection.
The first point to note is that the Report recommends the implementation of sections 77 and 78 of the Criminal Justice and Immigration Act 2008. This would allow a custodial sentence of up to 2 years for those convicted of unlawfully obtaining and selling personal data. The ICO has been lobbying the government for custodial sentences in relation to data offences for some time, and this is a welcome development. However, given current political uncertainty, it remains to be seen when, or if, this suggestion makes its way to greater prominence before Parliament.
The Report also makes interesting comments about who within businesses should be responsible for cyber security and who should deal with a major attack. The Committee notes that it is appropriate for the CEO to lead a crisis response should a major attack arise. However, overall responsibility for cyber security should sit with someone able to take full day to day responsibility, with board oversight, “who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber attack.” At the same time, the Report recommends that a portion of the CEO’s compensation should be linked to effective cyber security.
It is not clear what “fully sanctioned” is intended to mean. The Report is, however, clear that appropriate levers should be in place to ensure that both the CEO and whoever is tasked with day to day responsibility for cyber security can be held responsible if the company has not taken sufficient steps to protect itself. The immediate difficulty with this proposal is defining what “sufficient steps” are; both the threats to companies, and the information and cyber security industry, change at a significant pace, and there are often conflicting guidance and views as to what steps should be taken to secure information. If the proposals in the Report are taken forward, there will need to be a careful review by companies of information flow in relation to information and cyber security, and training given to (already very busy) CEOs so that they understand what questions to ask of the business, and also the answers that they get. While the Report’s aim is that CEOs should ultimately be responsible for successful cyber attacks, it isn’t clear to us that the approach proposed in the Report is the right one.
The Report also proposes that the ICO should impose a sliding scale of fines based on the lack of attention to threats and vulnerabilities which have led to previous breaches. One can see the scope for argument about whether a vulnerability is well known, and what precisely led to a breach. As a principle to encourage improvements to security, this is to be welcomed, although it seems that this is an explicit statement of what has been happening to some extent in any event.
Finally, the Report expresses clear support for breach response planning, stating that “the person responsible for cyber-security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected…” As with any crisis management situation, planning is critical. In our experience, organisations that have effective breach response plans and test them regularly are in a much better position to deal cost-effectively with a breach than those who don’t. In the current world, every company will have a breach (and probably many more than one) at some point during its life; what will differentiate companies is how they deal with them.