Solicitor Ernest Aduwa’s article, published in The Times, examines why recent MP proposals to tackle cyber crime do not go far enough.
Ernest’s article was published in The Times, 7 July 2016, and can be read here.
Cybersecurity has become an increasingly prominent issue for every company, with firms ranging from social media heavyweights to B2C organisations suffering from customer data breaches in the past 12 months.
One of the most notorious, however, was the hack of TalkTalk which saw the details of over 150,000 customers accessed by a third party. On Monday 20th June, a committee of MPs formed in the wake of this breach released their recommendations, stating that “companies must have robust strategies and processes in place” as well as “adequate resources” to ensure they “stay ahead in a sophisticated and rapidly evolving environment”.
Jesse Norman MP, Chair of the Committee, also stated that “we believe it should be easier for consumers to claim compensation if they have been the victim of a data breach.” These recommendations are simply baby steps in the right direction. It is clear that consumers ought to be more easily compensated for a fundamental breach of their privacy.
These recommendations have been heralded by some as a “giant wake up call for the industry”. In my view, it is clear that they ought to be doing more to protect their consumers, not to mention their business. The InfoSec community has long been aware of this and the fact that it took a breach of such a scale for both the government and corporations to take note is a scathing indictment of the ignorance of both sides.
The commission also failed in another key area, as the idea of serving fines to companies who delay in reporting breaches into their system is farcical. It fails to take into account the circumstances surrounding such breaches, as many factors, including detailed police investigations, provide very good reasons for such a delay.
It is worth noting, however, a key intervention the report makes regarding the Investigatory Powers Bill. The Bill would create “a haystack of potential problems”, notably the creation of huge pools of personal data that would be incredibly vulnerable to data breaches. The report, correctly, notes that this must be “addressed urgently by the Government”.
Recommendations of criminal sanctions on those selling personal data is a good step towards combating the black market for personal data. On a corporate side, however, to begin to truly tackle some of the problems, an independent commission should be established to receive reports of vulnerabilities in companies’ cybersecurity.