On 20 June 2016 the House of Commons Culture, Media and Sport Committee ("Committee") released its report on Cyber Security: Protection of Personal Data Online (the "Report"). The Report is based on the House of Commons inquiry into the cyber-security breach at telecommunications and internet service provider TalkTalk in October 2015, but is firmly aimed at a broader audience. The Report provides an array of lessons which organisations can heed and gives the Information Commissioner's Office (the "ICO"), the UK data protection regulator, some specific directions.
The Report makes a number of statements and recommendations around cyber-security and incident response readiness that those familiar with cyber-security would expect to see in a report of this type. For example, the Report provides statistics that demonstrate the seriousness of the cyber-threat, and repeats clichés such as that no organisation is immune to the cyber-threat and no security standard is 100% impenetrable.It also re-states known issues with ICO's current enforcement powers and redress for affected individuals, including that:
- the ICO is understaffed to deal with the "wave" of breach notifications and complaints it currently receives (ICO's enforcement section of 30 staff are dealing with approximately 1,000 cases at any given time). This is a well-known fact, but what's interesting about it is that the current "wave" will turn into a "tsunami" once mandatory breach notification is introduced across the economy by 25 May 2018, when the provisions of the EU General Data Protection Regulation ("GDPR") will apply in the UK (in some shape or form, whether Brexit happens or not);
- the ICO's general fining powers (of up to £500,000) for breaches of the Data Protection Act ("DPA") and the Privacy and Electronic Communications Regulations ("PECR") are at present too low. Again, the GDPR will change that, with fines of up to 4% of Annual Worldwide Turnover or €20,000,000 (whichever is higher) ;
- the fining regime for failures to comply with the breach notification requirements for telcos and ISPs under the PECR is inadequate. Indeed, at £1,000 per failure to notify, it is like a parking ticket. The current ongoing review of the Directive on Privacy and Electronic Communications is likely to change this;
- the ICO needs broader powers to conduct mandatory data protection and security audits which the ICO has been campaigning on for years. Again, the GDPR will change this;
- custodial sentences should be introduced for those convicted of unlawfully obtaining and selling personal data (i.e., the "blagging" offence under section 55 of the DPA). Again, the ICO has been campaigning for such custodial sentences for years; and
- it is at present too difficult for consumers to claim compensation if they suffer loss or harm as a result of a cyber-attack. This may change when the UK Supreme Court hands down its judgment in Google v Vidal Hall, and in any event will change on 25 May 2018 as a result of the rules on judicial remedy, representation of data subjects, compensation and liability under the GDPR.
So no surprises up to this point. Nevertheless, the re-statement of these well-known facts in the Report reinforces the point that the trajectory of privacy, data protection and cyber-security law is inexorably towards not only more significant fines for compliance failures, but also towards more complaints, disputes and litigation.
The Report goes on to make certain recommendations that have the potential to drive change through the legal regime for cyber-security. For instance, the Report recommends that telecoms companies should make clear to their customers (including in the relevant contract terms) that financial loss suffered by a customer as a result of a data breach constitutes a ground for early termination of the contract by the customer. Crucially, the Report makes certain recommendations that have the potential to significantly change expectations around cyber-security, incident response and breach action in the months and years to come:
- Linking CEO compensation to effective cyber-security: controllers should ensure that responsibility and accountability for cyber-security sits with someone who is able to take full day-to-day responsibility, i.e., someone who is senior enough (such as a CISO or CIO), but not too senior (such as the CEO). However, to ensure that cyber-security receives sufficient attention before serious incidents occur, "a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board". It remains to be seen how business and their stakeholders will react to this recommendation;
- Annual reporting to ICO (and the world): the Report suggests that any organisation that holds large amounts of personal data should report annually to the ICO on staff cyber-awareness; the last security audit; whether there is a tested incident management plan in place; the approach to enabling customers to check the authenticity of communications from the organisation and the number of enquiries from customers about this (see point 6 below); and the number of cyber-attacks the organisation is aware of and whether these resulted in actual breaches. Companies should also be encouraged to include this information in their own annual accounts "to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place".Put simply, given the importance of online and digital services to the UK economy, as well as the public interest in cyber-security, controllers need to (i) continually invest in cyber-defences to stay ahead of the game; (ii) demonstrate not only how much they are investing on cyber-security, but also that funds are being invested effectively; and (iii) keep the regulator and their stakeholders apprised of their efforts;
- Publishing investigation reports: the Report calls for TalkTalk to publish "as much" of their investigation report as "commercially possible without delay, and set out how they will implement the necessary changes". In other words, the Committee believes that beyond and above legal requirements and regulatory expectations concerning breach notification, given the intense public interest in cyber-security breaches, there should be greater pressure on companies that suffer serious cyber/data security breaches to publish the conclusions of their investigation into the breach, subject to commercial confidence (and, we assume, legal privilege) considerations;
- Breach notification vs. protecting police investigations: the Report recognizes that, despite existing and forthcoming (under the GDPR, as well as the Network and Information Security ("NIS") Directive) legal requirements and regulatory expectations concerning breach notification, it is important for controllers responding to a breach to strike a balance between breach notification and protecting information that is sensitive to police investigations. The ICO should provide further guidance including best-practice examples on this point.
- Security by design is a core principle: it is no longer a defence to say that a controller was not aware of the risks posed by SQL injections or other known forms of cyber-attacks. The ICO should impose escalating fines based on the lack of attention to threats and vulnerabilities which have led to previous breaches and security should be a major consideration in the design of new technology systems and apps. Therefore, the Report echoes the principles of Privacy by Design and Privacy by Default in the GDPR and recommends that "security by design should be a core principle of new system and apps development and a mandatory part of development training, with existing development staff trained as necessary"; and
- Raising consumer awareness: the Report states that "All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine". Furthermore, the ICO "should check that data controllers have put easy-to-use verification guidance and measures in place", and "there should also be scope to levy higher fines if the organization has not already provided guidance to all customers on how to verify communications". In other words, although the government has a role to play in raising awareness around scam calls and phishing emails, the onus also falls on data controllers, who should (i) put in place a mechanism to enable customers to verify that communications from the controller are genuine, and (ii) provide well-publicised guidance to existing and new customers on how the controller will contact them and how they can verify that communications are genuine.
Each of these 6 recommendations introduces new concepts and elements around cyber-security. So what is the significance of these recommendations and what is their likely impact on data controllers in practice?
The Report is neither law nor regulatory guidance. However, it is worth noting that the ICO comes under the Department for Culture, Media and Sport, which is the ICO's sponsoring department within Government. It is also telling that the ICO, in its evidence to the Committee in the context of the inquiry, appears to support most of the recommendations. Therefore, it is likely that in practice the ICO will at the very least treat the recommendations of the Report as best practice. This means that, if a controller suffers a cyber-attack, the implementation of these recommendations (coupled with compliance with the fundamental data security requirements of the DPA and PECR or, in the future, the GDPR and the NIS Directive), is likely to be treated by the ICO as a mitigating factor when considering any enforcement action.
What remains to be seen is whether the ICO will go above and beyond this, so as to essentially treat some or all of these recommendations as "technical and organizational measures" that data protection law requires data controllers to implement to ensure the security and confidentiality of personal data. In other words, will the ICO treat the non-implementation of one or more of these recommendations as a breach of data security rules? To establish this, we need to wait for the ICO's next guidance on cyber-security and, of course, any enforcement action issued against TalkTalk or another "hacked" data controller in the future.
In the meantime, controllers should keep calm and carry on with their Cyber and Data Security Readiness work. This entails assessing and, if required, improving the set of policies and processes, the people and the technologies they have in place to defend their systems and data from cyber as well as any other data security threats. Equally, controllers need to also assess their response procedures to incidents and breaches. The TalkTalk matter (as well as others before it), showcases how a transparent, robust and rehearsed Incident Response Plan, with clear reporting and accountability lines together with established positions on breach notification (to help deal with the emerging breach notification nightmare) is the centrepiece of cyber and data security incident response readiness.