MPs have recommended the Information Commissioner’s Office (ICO) should be given more powers and resources to investigate data breaches and has suggested part of a CEO’s salary should be dependent on them ensuring customers are protected from cyber threats.
A Department for the Culture, Media and Sport (DCMS) committee inquiry into cybersecurity was launched in the wake of a major assault on TalkTalk last year. The details of more than 100,000 customers were stolen and the company sustained losses of £60 million.
The committee praised CEO Dido Harding’s decision to publicise the attack at an early stage and the company’s overall crisis management skills, but it was clear that there should be a wider range of punishments and deterrents.
Custodial sentences for serious data protection infractions should also be considered, the report says, as should incremental fines for delayed notifications. The ICO can only fine a company a fixed penalty for failing to report a data breach. MPs said that if this increased each day, companies would be more incentivised to come clean.
But it is the suggestion that CEO salaries should be docked that is most controversial.
“It is appropriate for the CEO to lead a crisis response, should a major attack arise,” said MPs. “But cyber security should sit with someone able to take full day-to-day responsibility, with Board oversight, and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack.
“To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.”
TalkTalk suffered a customer exodus following the attack, while those that remained received free upgrades.
MPs recommended it is made easier for those affected by breaches to claim compensation and suggested a ‘privacy seal of approval’ and ‘traffic light’ ratings would give consumers insight into how companies perform with regards to privacy and encourage companies to improve.
“Although the Information Commissioner did not complain about lack of capacity, it seems evident that 30 enforcement staff are not enough to handle 1,000 cases and almost 200,000 public concerns a year, even if the vast majority of cases are found not to warrant detailed investigation,” it said. “We suggest that the new Information Commissioner make an assessment of resources and priorities as soon as possible.”
Finally, the report said the government had a role to play in minimising the threat. It recommended the Cyber Essentials security programme be updated regularly to take into account more recent trends and there should be a recognition that larger organisations have different requirements than smaller businesses.
MPs added that companies should report annually to the ICO about staff training, audits, incident management plan details and the number of attacks attempted against them each year. It also called for the ICO to have ‘non-consensual’ powers to investigate public sector bodies.
“Following last year’s cyber attack, TalkTalk has instigated an extensive, company-wide review of security and put into action many of the learnings from our own experience,” a TalkTalk spokesperson told TechWeekEurope. “We have also been widely and actively sharing these across government and industry.
“We support many of the Committee’s recommendations, for example around increased powers for the ICO. However TalkTalk would go further than the Committee on the issue of cyber reporting. As the Committee notes, TalkTalk chose to communicate what had happened to our customers so that they could better protect themselves. We believe all companies should have an obligation to do so in the event if a serious breach.
“We also support the Committee’s call for a government awareness campaign on scams – TalkTalk has recently launched our own nationwide awareness programme (Beat the Scammers), but there is much more which could be done to help protect consumers.”
Chip maker warns new factory in Columbus, Ohio could be delayed or scaled back, over…
Bereavement aid for those in mourning? Amazon's Alexa voice assistant could be programmed to sound…