Banking and finance dispute resolution
For the latest news and comment on banking and finance disputes.
For the latest news and comment on banking and finance disputes.
For all the latest news and comment in clinical negligence healthcare law
This collection looks at the latest news and comment on commercial contracting healthcare law. With the health and social care sector under…
For all the latest news and comment in employment and pensions healthcare law
For all the latest legal and regulatory news and comment in health technology
This collection contains DAC B eachcroft's latest report, The Route to Integrated Healthcare , which provides the first practical examples of how…
This collection looks at the latest strategic, commercial, regulatory and negligence legal and advisory news and comment in health and social care. …
For all the latest news and comment on employment and pensions law.
DAC Beachcroft Dublin specialises in insurance, professional indemnity, defendant personal injury, health, commercial litigation and employment work.…
For all the latest new and comment in tax law.
The GC Collective collection offers insight and comment for General Counsels (GCs) and in-house legal teams.
For the latest news and comment on Corporate, M&A and Equity Capital Markets.
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
The Accountant's Liability Collection brings you topical news and insight of interest to accountants, actuaries, trustees and other financial…
Events and online training for the health and social care sector.
DAC Beachcroft's LatAm Quarterly Newsletter discusses topical news and issues in Latin America
In response to client suggestions and requests, DAC Beachcroft's insurance sector flagship publication.
For all the latest legal and regulatory news and comment in health and social care integration
For all the latest news and comment in corporate regulatory healthcare law
Find advice, commentary and thought leadership on all aspects of Director's & Officer's Insurance; from contract formation through to complex…
This collection looks at the latest news, comment and development on the law affecting mental health services. The law affecting mental health…
Our market-leading Information Law team regularly publish articles and updates addressing the ever-evolving Information Law landscape.
This collection looks at our Safety, Health and Environment Team and the products and services they can provide. In the climate of increased…
The Insurance Act 2015 comes into force in August 2016 and will represent a significant change to insurance contract law in this country. This…
Legislative changes are bringing major changes to the Insurance landscape. This collection houses DAC Beachcroft's alerts on the pertinent issues.
For all the latest news and comment in clinical regulatory healthcare law
Organisations face ever-increasing expectations from Government, regulators, customers or service users, and other stakeholders, so scrutiny and…
For all the latest legal and regulatory news and comment in healthcare estates and facilities management
This collection addresses the full spectrum of cyber security and data risk management – the zeitgeist of our age.
We have acted for clients in the majority of significant product liability cases that have been decided in the UK over the last 35 years. Our product…
Considering the future landscapes of our cities
The European General Data Protection Regulation (GDPR) came into force on 25 May 2016. A rewrite of European data protection law, the GDPR imposes…
Considering the future of housing
For the latest news and comment on public procurement law.
Welcome to the Construction Risks collection. This space is used to report upon issues of interest to those who seek to allocate, manage and reduce…
Technology, brands and intellectual capital are key assets for any successful business. Our intellectual property (IP) team are experts at helping…
Considering the future of retail
The Insurance Market Conditions and Trends report is DAC Beachcroft's insurance sector flagship publication. Now in its tenth year, the report…
The Solicitors' Risk Collection addresses issues and developments affecting legal practitioners, and the professional indemnity insurers of legal…
Published On: 1 September 2016
On 21 October 2015, TalkTalk was the victim of a cyber-attack. The day after discovery of the attack, TalkTalk went public, notifying customers and the press regarding the breach, instantly becoming headline news. TalkTalk chose to notify the public before obtaining the forensic investigators' findings as to the nature and extent of the compromise and their lack of ability to specify who or what was affected caused much concern across TalkTalk's entire customer base and the public at large. The ICO launched an investigation into the attack and a parliamentary inquiry was set up on 3 November 2015, hearing oral evidence from TalkTalk's CEO, Dido Harding, and the (then) Information Commissioner, Christopher Graham.
On 17 June 2015, the Culture, Media and Sport Select Committee (the "Committee") issued its findings (the "report") on the incident. Whilst the TalkTalk breach was the trigger for the inquiry, the report recognises that cyber-crime is a significant, complex and growing problem, and that its reach is international and non-sector specific. Interestingly, the report notes that the ICO conducted an audit of TalkTalk in September 2014, which resulted in a number of suggestions being made, but did not give the ICO any reason to put the company on a "watch list" or issue enforcement action against the company. On that basis, it would appear that TalkTalk was not in a particularly bad state prior to the attack – and the lessons it has learned can assist all organisations to prepare for the eventuality of a breach.
The report makes a number of observations and recommendations on cyber security, which are set out below. The ICO has not yet finalised its own investigation into the breach, so watch this space.
As a telecommunications provider, TalkTalk had the obligation to notify the ICO of the breach within 24 hours of becoming aware of the facts, and to notify its customers without delay, if the breach is likely to adversely affect them.
In spite of the short timescales envisaged by the law, the report notes that the Board's decision to go public immediately was "unusual", given that they knew it would take at least several days, or weeks, to work out how many customers were affected. This seems to work on the assumption that a normal response would be to notify customers only once the extent and impact of the breach has been established. However, the report praises TalkTalk's "strong crisis management response", including the decision to appoint PWC to review TalkTalk's systems following the cyber-attack.
It is recognised that there is an inherent tension between the requirement to notify affected individuals of a cyber-attack, and the duty to notify the police, who may wish to keep information confidential to allow them to pursue the attackers.The Committee recommend that the ICO and Cyber Essentials publish guidance on best practice for notifying authorities and affected individuals, aiming to strike the best balance between protecting sensitive information for police investigations, whilst recognising the requirement to inform affected individuals of the breach.
The report goes on to note that there is not sufficient incentive for companies to notify the ICO of data breaches. The Committee consider that the ICO's current power to issue a £1,000 fine to telecoms or internet service providers that fail to notify a breach within the required 24 hours is not sufficiently harsh, and recommends that the ICO implements a new incentive structure. Surprisingly, the report fails to note that the existing ICO guidance on monetary penalties provides that failure to voluntarily notify the breach will result in higher penalties (and vice versa, as occurred in the Java Transport decision).
Board level responsibility
The inquiry also considered how the TalkTalk Board took responsibility for cyber security and data breaches. The Committee agreed with Dido Harding that ultimate responsibility for cyber security lies with the CEO, and that it is appropriate for the CEO to lead a crisis response in the event of a major attack. However, this alone is not enough. Day to day responsibility for cyber security within a company should be clearly allocated to a specific person, for example, the Chief Information Officer, with Board oversight. The report also recommends that, to ensure the issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security.
Whilst recognising that TalkTalk had run various business continuity exercises, including cyber-breach simulations, the Committee were critical of the fact that TalkTalk had not exercised and planned how to handle a cyber-attack of the scale suffered. The report recommends that the individual responsible for cyber-security should be fully supported in organising realistic incident management plans and exercises.
Increased fines for known vulnerabilities?
Whilst the Committee recognises that it has little concrete information on the technical vulnerabilities that led to the TalkTalk compromise (largely because the ICO has not yet issued its findings), reports have circulated that it was a product of a SQL attack. The Committee considered that, given the prevalence of such attacks, it is "no longer a defence, for a company using an e-commerce platform, to say that it was not aware of the risk of SQL injection attacks or similarly established and in some cases routine forms of cyber-penetration".
The Committee recommends that the ICO introduces a series of escalating fines, based on lack of attention to threats and vulnerabilities which have led to previous breaches, meaning that a data breach caused by a "routine" or repeated attack could trigger greater fines than where the attack is novel and unexpected.
Whilst this seems sensible, it is arguable that this already exists on an informal basis, as one of the factors that the ICO considers when imposing a monetary penalty is whether the organisation has done all it could to prevent an incident, and whether incident is one-off, or part of a series of ongoing breaches. If a company fails to implement basic levels of security in the face of known threats, the ICO is likely to take a harsher stance than a company that has done all it can to avoid a breach.
Compensation for data breaches
The ICO has made it clear that compensation for individuals is not within its remit. The only remedy is for affected individuals to bring legal proceedings against the company involved. The report notes that although the Committee heard from customers who had suffered scam phone calls as a result the breach (and previous third party breaches), they did not see any evidence of customers suffering direct financial loss as a result of the 2015 breach.
The issue of whether compensation for distress without evidence of financial loss is available under the Data Protection Act 1998 is currently under consideration by the Supreme Court, in the Google v Vidal Hall case.
The Committee's view is that it should be easier for consumers to claim compensation if they have been the victim of a data breach and recommend that the Law Society provides guidance to lawyers on assisting individuals to seek compensation, and that the ICO should assess if adequate redress is being provided by the small claims process. If the process is made easier, and damages are available for pure distress, we may see an increase in the amount of small claims made against a company that suffers a data breach.
A further issue that arose from the TalkTalk breach was the lack of clarity regarding the ability of customers to terminate their contracts as a result of the breach. The Committee recommends that companies clarify their consumer contracts to make clear whether financial loss as a result of a data breach is sufficient grounds to terminate a contract early.
Other conclusions and recommendations
The report makes various other conclusions and recommendations, including:
i. Staff cyber-awareness training;
ii. When their security processes were last audited, by whom and to what standard(s);
iii. Whether they have an incident management plan in place and when it was last tested;
iv. What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;
v. The number of enquiries they process from customers to verify authenticity of communications;
vi. The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).
A copy of the report is available here.