A custodial sentence of up to two years for those convicted of unlawfully obtaining and selling personal data has been recommended in a report by the Government’s Culture, Media and Sport Committee.
The report, triggered by a series of data breaches at Talk Talk, also said the Information Commissioner’s Office (ICO) should also have a robust system of escalating fines at its disposal to sanction those who fail to report, prepare for or learn from data breaches.
The committee has warned that the problem of data security is significant, growing, and affects all sectors with an online platform or service. It said that 90% of large organisations have reportedly experienced a security breach, and 25% of companies experience a cyber-breach at least once a month.
Public sector woes
The public sector fares no better: the latest research from the ICO shows that the health sector has the most data breaches, followed by local government. Furthermore, not all threats to cyber security or data protection are from external actors: over 40% are caused by employees, contractors and third party suppliers, and half of these are accidental.
Going forward, the committee is focused on strengthening consumer rights and awareness of scams and has recommended the following:
- Companies must make it much easier to verify if communications, whether online or by telephone, are genuine. The ICO’s system of sanctions should include fines for companies that fail to do this
- It should be easier for victims of a data breach to claim compensation
- It is not enough for companies to say they weren’t aware. Breaches are common, and all companies need to plan and test for that eventuality
- Further, they need to demonstrate they have identified and addressed the weaknesses that have led to any data breaches
- The vulnerability of the massive new data pools that will be created by the Investigatory Powers Bill needs to be urgently addressed by government
- Good cyber practice will need to evolve and develop: this is essential to maintain consumer confidence and Britain’s place as the top internet economy in the G20
- There needs to be a step change in consumer awareness of on-line and telephone scams, and the Government should initiate a public awareness-raising campaign, on a par with its campaign to promote smoke alarm testing.
Jesse Norman MP, chair of the committee, said: “Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.
As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.”
The full report can be found here.