Select committee says ICO should have more resources to cope with breaches and greater flexibility with punishments
MPs have recommended the Information Commissioner’s Office (ICO) should be given more powers and resources to investigate data breaches and has suggested part of a CEO’s salary should be dependent on them ensuring customers are protected from cyber threats.
A Department for the Culture, Media and Sport (DCMS) committee inquiry into cybersecurity was launched in the wake of a major assault on TalkTalk last year. The details of more than 100,000 customers were stolen and the company sustained losses of £60 million.
The committee praised CEO Dido Harding’s decision to publicise the attack at an early stage and the company’s overall crisis management skills, but it was clear that there should be a wider range of punishments and deterrents.
At present, the maximum fine that can be levied by the ICO is £500,000. The adoption of the EU GDPR will increase this to four percent of a firm’s global revenue or €20 million, but MPs said the ICO should issue ‘escalating’ fines to offenders who fail to heed the lessons of breaches suffered by others.
Custodial sentences for serious data protection infractions should also be considered, the report says, as should incremental fines for delayed notifications. The ICO can only fine a company a fixed penalty for failing to report a data breach. MPs said that if this increased each day, companies would be more incentivised to come clean.
But it is the suggestion that CEO salaries should be docked that is most controversial.
“It is appropriate for the CEO to lead a crisis response, should a major attack arise,” said MPs. “But cyber security should sit with someone able to take full day-to-day responsibility, with Board oversight, and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack.
“To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.”
TalkTalk suffered a customer exodus following the attack, while those that remained received free upgrades.
MPs recommended it is made easier for those affected by breaches to claim compensation and suggested a ‘privacy seal of approval’ and ‘traffic light’ ratings would give consumers insight into how companies perform with regards to privacy and encourage companies to improve.
The report called for TalkTalk to publish a PriceWaterhouseCooper (PWC) investigation into the incident as soon as possible and lamented the fact the ICO had still not been able to complete its own inquiry. The committee said more resources should be made available to the commission.
“Although the Information Commissioner did not complain about lack of capacity, it seems evident that 30 enforcement staff are not enough to handle 1,000 cases and almost 200,000 public concerns a year, even if the vast majority of cases are found not to warrant detailed investigation,” it said. “We suggest that the new Information Commissioner make an assessment of resources and priorities as soon as possible.”
Finally, the report said the government had a role to play in minimising the threat. It recommended the Cyber Essentials security programme be updated regularly to take into account more recent trends and there should be a recognition that larger organisations have different requirements than smaller businesses.
MPs added that companies should report annually to the ICO about staff training, audits, incident management plan details and the number of attacks attempted against them each year. It also called for the ICO to have ‘non-consensual’ powers to investigate public sector bodies.
“Following last year’s cyber attack, TalkTalk has instigated an extensive, company-wide review of security and put into action many of the learnings from our own experience,” a TalkTalk spokesperson told TechWeekEurope. “We have also been widely and actively sharing these across government and industry.
“We support many of the Committee’s recommendations, for example around increased powers for the ICO. However TalkTalk would go further than the Committee on the issue of cyber reporting. As the Committee notes, TalkTalk chose to communicate what had happened to our customers so that they could better protect themselves. We believe all companies should have an obligation to do so in the event if a serious breach.
“We also support the Committee’s call for a government awareness campaign on scams – TalkTalk has recently launched our own nationwide awareness programme (Beat the Scammers), but there is much more which could be done to help protect consumers.”