The £400,000 fine issued last week to UK triple-play provider TalkTalk for security failings that led to a massive data hack should be seen as a warning to companies about the need to protect personal data. Customer details including names, addresses, dates of birth, phone numbers and email addresses were taken for over 155,000 customers. In over 15,000 cases the hacker had access to bank account details and sort codes.
The fine was issued by The Information Commissioner’s Office (ICO), which upholds information rights in the public interest, for failures of compliance under the Data Protection Act. Elizabeth Denham, Information Commissioner, made it clear that companies must take responsibility or security failings. “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
She added: “The record fine [issued by the ICO] acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Joe Hancock, Cyber Security Lead at the London and New York based law firm Mishcon de Reya, warns that under new European legislation the fine could have been 175 times bigger. “The fine against TalkTalk is the biggest to date as a result of the company not implementing basic levels of protection. It is clear that security has not always been prioritised in the way it is now.
“However £400,000 is still a relatively small fine compared to the potential fines that will be levied under the General Data Protection Regulation (GDPR) [forthcoming European legislation] – the greater of up to 4% of global turnover or EUR 20 million. For TalkTalk this could have been over £70 million.”
Mishcon de Reya expects to see further examples made of companies who fail to take cyber security as seriously as they would other risks. It advises that implementing basic cyber security protections will go a long way to protecting customer data and company reputations.
“The question now remains whether the responsibility for the fine is with TalkTalk itself, or should be shared between their service providers and suppliers. These issues are likely to become more pressing as the size of fines increases under GDPR.”
You can read more about the potential impact of GDPR, including insights from John Enser, a partner in the commercial practice at another international law firm, Olswang, in this Videonet report about video data analytics security.
The ICO outlined the TalkTalk security failings. You can read those in more detail here. In response to the fine, TalkTalk highlighted the industry-wide nature of the hacking problem (and gave a list of other companies fined by the ICO) and lauded its own honesty once the breach became obvious. It adds: “There is no evidence to suggest any customers have been impacted financially as a direct result of the attack, but we have launched a nationwide educational campaign, called Beat the Scammers, to help customers (and the wider public) keep themselves safe from fraudsters.”
The company outlines its actions once it realized there had been a data breach, here. In a statement the company says: “TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.”
“During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.
“As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.”