The ICO recently issued its largest ever fine to TalkTalk for failing to protect customer data from a cyber-attack, senior policy officer (business and industry) at the ICO Alastair Barter explains why
The £400,000 fine was issued because TalkTalk failed to take basic steps necessary to keep customer data safe.
The fine was significant and reflected the severity of the breach, but we’ll have greater fining powers from 2018 when new data protection rules come into force as part of GDPR.
TalkTalk’s fine and the impending new rules should make organisations sit up, take note and take action.
Cyber security is not an IT issue. It is a boardroom issue. And its place at the heart of an organisation is being recognised.
The government has stressed the importance of cyber security in a thriving digital economy by announcing a £1.9bn investment in the National Cyber Security Strategy over the next five years.
A new National Cyber Security Centre has also been opened to keep the UK’s cyberspace safe.
Not only will better cyber security protect the wider economic interest, it will also help to protect the privacy rights of individuals who should be able to trust organisations with their data.
In the digital economy, organisations that build a trustworthy reputation through good data handling can gain an advantage.
The information commissioner, Elizabeth Denham, recently announced her aim to build a culture of data confidence in the UK.
An ICO survey found that 75 percent of individuals do not trust organisations with their personal data. Being one of the organisations that consumers do trust, has obvious benefits.
Privacy and innovation
An organisation’s ability to keep data secure is a key area of consumer concern. With data becoming an ever more valuable asset, it pays to protect it appropriately.
But increasing privacy measures and information security does not have to lock down data and stifle innovation.
By taking a privacy by design approach and building in appropriate measures from the outset, privacy and innovation can work in tandem, giving consumers the products and services they want as well as confidence in the brands that provide them. It’s not privacy or innovation, it’s privacy and innovation.
As the TalkTalk case shows, cyber attacks tend to make the headlines and that means bad publicity for the affected organisation.
Naturally, some sophisticated attacks by determined hackers are increasingly difficult to defend against and leave organisations as victims, as well as those whose personal data may have been compromised.
The ICO recognises this, but many of our investigations into data breaches – including TalkTalk – show that often it’s an absence of simple measures that leads to breaches.
To be compliant with the DPA, organisations must ensure that appropriate measures are in place to protect the data they hold. A lack of basic measures, such as adequate penetration testing, poor password controls and inadequate encryption are commonplace and have resulted in regulatory action.
Our role is to ensure organisations protect personal data. We have the option of enforcement, but our aim is to help organisations comply and we do that through education and advice.
Lots of guidance is available on the ICO website, ico.org.uk. For the fundamentals see our Practical Guide to IT Security which is ideal for small businesses. We’ve also got guides about technical solutions and information gleaned from others’ failings: Protecting personal data in online services: learning from the mistakes of others.
There is also a range of government guidance available and schemes such as Cyber Essentials can set organisations on the right path to achieving levels of information security that suit their requirements.
Information security has always been an important area of compliance, but GDPR will raise the stakes.
Reassessing information security measures now is something that organisations should be doing.
Not only will this help to prepare for GDPR but it will help organisations comply with current requirements.
Importantly, it will also help to build a culture of confidence - that’s always good for business.