Ernest Aduwa, Solicitor at Stokoe Partnership Solicitors, examines the MPs’ report following last year’s TalkTalk hack for The Times.

This article has been published in The Times, July 7th 2016. Read the article here.

Why MPs’ cybersecurity measures do not go far enough

The fact that it took a breach of the scale of the TalkTalk hack for this inquiry is a scathing indictment of ignorance on all sides.

Cybersecurity is becoming an increasingly prominent concern — with businesses ranging from social media heavyweights to online retailers suffering from customer data breaches in the past 12 months.

One of the most notorious was the hacking of the telecommunications company TalkTalk, in which the details of more than 150,000 customers were accessed by a third party.

Recently the Culture, Media and Sport Committee reported on the findings of its inquiry into cybersecurity, set up in the wake of the attack on TalkTalk’s website. They called on companies to have “robust strategies and processes in place” as well as “adequate resources” to ensure that they “stay ahead in a sophisticated and rapidly evolving environment”.

Jesse Norman, the chairman of the committee, said: “We believe it should be easier for consumers to claim compensation if they have been the victim of a data breach.” In truth they are simply baby steps in the right direction. It is clear that consumers ought to be more easily compensated for a fundamental breach of their privacy.

These recommendations have also been heralded by some as a “giant wake-up call for the industry”. In my view, it is clear that companies ought to be doing more to protect their consumers, not to mention their business. The InfoSec community has long been aware of this; and the fact that it took a breach of such a scale for both the government and corporations to take note is a scathing indictment of the ignorance of both sides.

The commission also failed in another key area, as the idea of serving fines to companies who delay in reporting breaches into their system is farcical. It fails to take into account the circumstances surrounding such breaches, as many factors, including detailed police investigations, provide very good reasons for such a delay.

It is worth noting, however, a key intervention the report makes on the Investigatory Powers Bill. The bill would create “a haystack of potential problems”, notably the creation of huge pools of personal data that would be incredibly vulnerable to data breaches, it says. The report, correctly, notes that this must be “addressed urgently by the government”.

Recommendations of criminal sanctions on those selling personal data is a good step towards combating the black market for personal data. On a corporate side, however, to begin to truly tackle some of the problems, an independent commission should be established to receive reports of vulnerabilities in companies’ cybersecurity.