Many organisations struggle to allocate responsibility for cyber security within the business. Some choose to place the issue within the ambit of IT. Others place responsibility with the legal or compliance departments. Difficulties arise because cyber security risks are critical for multiple departments within an organisation – legal, compliance, IT, HR, communications and marketing must all be involved, and prepared for the worst to happen.
In June this year, the government's Culture, Media and Sport Committee issued a report (the "Report") recommending that chief executives should assume "ultimate responsibility for cybersecurity within a company" but that day-to-day responsibility should be allocated to another person in the business, such as the chief information officer or head of security.
Given the importance of cyber risk to an organisation's profits, brand and reputation, the government recommends that those tasked with cybersecurity responsibilities on a day to day level should be subject to oversight by the Board, and potential sanctions when things go wrong. The Report goes on to suggest that a portion of CEO compensation should be linked to effective cyber security. The Information Commissioner, Elizabeth Denham, has also recently supported the view that cyber security is a board level issue in her first appearance before a Parliamentary Committee, calling for directors to be held accountable by being personally liable to pay fines. Her comments were made in relation to the Digital Economy Bill, which deals with nuisance marketing calls. However, it is not too difficult to envisage a situation where this could be extended to directors being held liable for other data protection fines, where the board failed to properly deal with cyber security issues. The ICO also sought to reinforce this message in its communications regarding the record £400,000 fine imposed on TalkTalk, saying: "Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this because they have a duty under law, but they must also do this because they have a duty to their customers."
In October, the government issued a response to the Report, saying that it is "currently exploring whether we have the regulatory framework and incentives needed to drive effective cyber risk management across the UK economy". We are all aware that the regulatory framework is changing with the implementation of the GDPR in May 2018, bringing with it the prospect of much greater fines for non-compliance. However, it will be interesting to see what the government proposes as an 'incentive' to motivate good cyber practice in the UK.
The Report also referred to the government's 'Ten Steps to Cyber Security' guidance and emphasised the need for companies to establish effective incident management policies and processes, as well as recommending that organisations participate in the joint government and industry "Cyber Security Information Sharing Partnership", which will enable them to share real-time threat information and get information on best practice, including incident management. The National Cyber Security Centre, which was launched this month, will also provide additional information and support in relation to the management of cyber security incidents.
Organisations should continue to monitor their approach to cyber risk and ensure appropriate oversight is in place.
To read the Report, click here.
To read the government's response to the Report, click here.
September saw the announcement of another massive, headline grabbing data breach by Yahoo. Cyber criminals had allegedly stolen the details of 500 million Yahoo users in what appears to be the biggest hack in history. Yahoo initially accused 'state sponsored actors' of carrying out the attack, although they released no information as to how they had reached that conclusion, and various tech commentators cast doubt on that theory.
The most disturbing aspect of the revelation is that the hack is not new – it took place in 2014. Questions were asked as to why it had taken so long for Yahoo to discover the hack, its extent, and why it took so long to notify its users of the breach. Given that agreement had been reached, back in July, to sell Yahoo to Verizon and that Verizon had stated that they were only informed of the breach two days before the public announcement, it is certain that serious questions will also be raised as to Yahoo's knowledge of the breach at the time of agreeing the sale.
Yahoo users will be understandably concerned that their credentials may have been circulating for months, if not years, on the dark web. According to Yahoo, the breach involved names, email addresses, phone numbers, birthdays, encrypted passwords and answers to security questions. The latter information may be the most valuable to criminals, as it is relatively easy to change your password but your mother's maiden name will always remain the same. Within days of the announcement of the breach, at least two separate lawsuits (filed on 22 September 2016 and 23 September 2016) had been filed in California, purportedly on behalf of all compromised users, accusing the company of gross negligence and arguing that it showed "reckless disregard for the security of its users' personal information".
Interestingly, in support of the argument that Yahoo has been negligent in failing to discover and respond to the breach in a timely fashion, the lawsuit referred to research by the Ponemon Institute stating that the average time to identify an attack was 191 days, and the average time to contain a breach was 58 days after discovery. Some people may be surprised that the average time is so long – over 8 months from breach to resolution. However, Yahoo took significantly longer – two years from breach to discovery, and it remains unclear whether the breach has been contained.
The plaintiffs are using the Ponemon Institute's figures as a benchmark, alleging that Yahoo's discovery took "an unusually long period of time." Of course, without concrete evidence of how long a 'usual' period of time is, it seems that this proposition will be difficult to establish, and will come down to the specific circumstances of the case.
The Yahoo plaintiffs allege that they have suffered injuries as a result of the breach and seek damages plus the costs associated with the need for three years' credit monitoring to protect against ID theft.
Given the scale of the breach, even if each user were to be awarded nominal damages plus the cost of credit monitoring, the numbers would be staggering and could be enough to cripple Yahoo. It will be interesting to see how this lawsuit is received by the US Courts – watch this space for updates.
Back home, it is also worth mentioning that the First-tier Information Rights Tribunal has dismissed TalkTalk's appeal against a fixed monetary penalty notice of £1000 for failing to notify the ICO of its data breach within 24 hours of detection, as required by the Privacy and Electronic Communications Regulations 2003 ("PECR") and the Notification Regulation. TalkTalk argued that the point of detection was not the time of receipt of a customer letter complaining that their information had been disclosed, but that the 24 hour period only began to run from the point at which it had carried out preliminary investigations to establish whether or not the breach had, in fact, occurred. The Tribunal found that TalkTalk had sufficient information from receipt of the customer letter, which in these particular circumstances, provided so much detail that a personal data breach was the only explanation. This should be contrasted to the situation where a company receives a generalised complaint or suspicion, in which case a period of investigation may be required to 'detect' the personal data breach.
The decision serves as a reminder to telecommunications and internet service providers of the strict rules surrounding personal data breach notification and the need to have incident response plans and procedures in place to ensure swift detection, analysis and communication. It should also be considered a warning to all companies that hold personal data.
When the GDPR comes into effect in May 2018, all such organisations will be subject to a requirement to notify the ICO of personal data breaches within 72 hours. However, under the GDPR, the penalty for failure to report will be significantly worse – fines of up to €10m or 2% of global annual turnover, whichever is the higher. On the basis that it is now generally accepted that most organisations will suffer a breach at some point, organisations would be well advised to get breach response plans in place now, establish relationships with trusted advisors, and practise the response process sooner rather than later.
Organisations should continue robust cyber security practices within their organisation.
Test breach response plans, establish relationships with trusted advisors, and practise the response process sooner rather than later.
To read the dismissal of TalkTalk's appeal please click here.