I don’t wanna TalkTalk about it?
January 2017 | EXPERT BRIEFING | RISK MANAGEMENT
In October 2016, telecoms provider TalkTalk was hit with a record £400,000 fine (and a smaller £1000 fine for another, earlier data breach) by the Information Commissioner’s Office (ICO) for security failings that led to their failure to prevent the cyber attack that led to customer data being accessed ‘with ease’.
Then in November, a 17-year-old youth responsible for the hacking pleaded guilty to the attack. At the time of writing he has yet to be sentenced. Investigation has revealed that basic security steps had not been taken to protect customer data, and this was not helped by the CEO’s public statements, some made on television, which claimed that they had encrypted everything they were legally required to.
The information commissioner, Elizabeth Denham, however, felt differently. “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action”.
That statement should cast a shadow across every boardroom table, as business as usual is going to evolve when it comes to security. Obligations and accountability are concepts boardrooms will need to get comfortable with quickly.
In the realm of security and data breaches, change has been happening all over the world. Lawmakers, business and security professionals are all trying to get ahead of the threat evolution and look at ways of legislating better security for the greater protection of everyone. In Australia, the move toward mandatory breach notification has been going through its parliamentary system for some time and when completed, will require any business or organisation to inform data subjects if their personal data has been compromised.
Up to now, reporting of a breach to the privacy commissioner has been on a voluntary basis. In the US, legislation is being introduced that requires businesses to reveal if they have a cyber security expert serving on their board. This has sparked speculation that it may become a requirement, as class action suits coming from serious data breaches escalate in number and frequency, and consumers and the public at large demand greater accountability and transparency from business leaders.
In the UK, the General Data Protection Regulations (GDPR) will be adopted in 2018 and fines of up to 4 percent of global turnover face organisations and businesses found guilty of a serious breach. Not only that, Elizabeth Denham recommended, to a Parliamentary meeting called to discuss the Digital Economy Bill, imposing personal liability and accountability for company directors of businesses breaching data protection laws. This is a significant and important recommendation. Indeed, it is a stark warning for all businesses, particularly ones that think they have taken all steps ‘legally required of them’ to secure personal information, without actually knowing what this really means.
Research shows that boardrooms are aware that cyber security needs to be a priority. However, IT security professionals and directors alike acknowledge that the reports and conversations they are currently having are failing to reduce risk in any significant numbers. Security teams also do not feel their boards understand what they are being given.
This needs to be addressed as a matter of urgency if we are to avoid further large-scale, damaging breaches such as the TalkTalk one. If we look to the US and see what has happened there after large breaches, some CEOs have stepped down and class action suits have been filed against companies for many millions of dollars. While it is true that the UK has a less litigious culture, it may not stay that way. Even so, the warning from the ICO is clear enough; heads will roll if you do not take cyber attacks seriously and take some ownership.
Given the very firm stance of the new information commissioner and the coming legislative changes, there are many things that need to be considered and a change of approach may be required. If we are indeed to see personal accountability for directors, how well prepared are they?
Given the responses the CEO of TalkTalk, Dido Harding, gave to the press interest in how the major breach unfolded (as we have said, there was more than one), we would have to conclude that preparedness for accountability is in its infancy. If we look at the public sector, which in terms of data protection legislation adherence is actually ahead of the private sector, we can see that police forces have an individual accountable for data protection, which is the senior information risk owner or SIRO, as they are frequently referred to.
Local authorities and councils also use this model of information risk accountability and data protection. It is possible that this, combined with the US style of revealing who your cyber security expert board member is, may make for a much more robust attitude toward cyber security in general and data protection specifically, going forward.
Whether directors and businesses are ready remains to be seen. We can only hope that given the interconnected and convoluted nature of business these days that not only our own directors, but also those of our supply chain partners, take this new paradigm on board quickly.
Mike Gillespie is the managing director of Advent IM Ltd. He can be contacted on +44 (0)121 559 6699 or by email: firstname.lastname@example.org.
© Financier Worldwide
Advent IM Ltd.