Possible Implications of The TalkTalk Breach For Organisations
Parliament has recently published a 29 page report outlining the enquiry by and conclusions of the Culture, Media and Sport Committee relating to cyber security issues in the wake of the TalkTalk cyber-attack in October 2015. Although the ICO has yet to produce a final verdict about the breach, the conclusions in this report make interesting reading.
If many of the suggestions by committee are put into action they will have implications for all companies and organisation in the UK. Some of the points of interest include:
- The ICO could introduce a series of escalating fines for companies and organisations, based on the lack of attention to cyber threats and vulnerabilities which have led to previous breaches. There could also be escalating fines for delays in organisations reporting a breach.
- It may be made easier for consumers to claim compensation if they have been the victim of a data breach.
- When selecting 3rd party suppliers, compliance with data protection rules and Cyber Essentials could become key criteria.
- Companies and other organisations holding large amounts of personal data may need to demonstrate how much they are spending to improve their security and how effectively they are spending that money by sending reports to the ICO, including accounts information.
- The ICO could have additional powers of non-consensual audit e.g. for health, local government and potentially for other sectors.
Other suggestions from the committee’s MPs include:
- Generally increased powers for the ICO where data security breaches are concerned.
- Organisations may have to set up their own ‘kitty’ style fund so that they are able to fund compensation payouts for breaches.
- Agencies such as the Citizens Advice Bureau, ICO and police victim support units could provide advice to consumers who are seeking compensation through the small claims process.
- Company CEOs may be forced to take proactive and preventative cyber security more seriously by having a portion of their compensation (bonuses and salary incentives) held back if they fail to act before a cyber security crisis occurs.
The full report can be found here: http://www.publications.parliament.uk/pa/cm201617/cmselect/cmcumeds/148/148.pdf