The Department of Culture, Media and Sport Committee at the
House of Commons has published its First Report of Session for
2016-17 (the "Report"). The Committee
was adjourned until 28 June, so the Second Report of Session should
be published shortly after it has reconvened.
For those not familiar with the Committee and its enquiry, the
current work was triggered by the TalkTalk attack in October 2015.
Investigating that attack and its aftermath falls within the remit
of the Committee, but it is also undertaking a wider review of
cyber-crime and the approach taken by the Government, the
Information Commissioner's Office and industry and business to
information security. The Report contains a number of proposals and
suggestions, some of which are not new or surprising, but others
are more controversial and would potentially be difficult to
implement. This article highlights a few of the more significant
As a preliminary point to note, the outcome of the EU referendum
means that there is necessarily some crystal-ball gazing to be done
as to where UK data protection law will go now that, assuming the
Article 50 Notice is served as expected, the GDPR will not be implemented in the UK. For a
more detailed consideration of this, please see the
article by Vin Bange, our UK head of data protection.
The first point to note is that the Report recommends the
implementation of sections 77 and 78 of the Criminal Justice and
Immigration Act 2008. This would allow a custodial sentence of up
to 2 years for those convicted of unlawfully obtaining and selling
personal data. The ICO has been lobbying
the government for custodial sentences in relation to data offences
for some time, and this is a welcome development. However, given
current political uncertainty, it remains to be seen when, or if,
this suggestion makes its way to greater prominence before
The Report also makes interesting comments about who within
businesses should be responsible for cyber security and who should
deal with a major attack. The Committee notes that it is
appropriate for the CEO to lead a crisis
response should a major attack arise. However, overall
responsibility for cyber security should sit with someone able to
take full day to day responsibility, with board oversight,
"who can be fully sanctioned if the company has not taken
sufficient steps to protect itself from a cyber attack." At
the same time, the Report recommends that a portion of the CEO's compensation should be linked to
effective cyber security.
It is not clear what "fully sanctioned" is intended to
mean. The Report is, however, clear that appropriate levers should
be in place to ensure that both the CEO
and whoever is tasked with day to day responsibility for cyber
security can be held responsible if the company has not taken
sufficient steps to protect itself. The immediate difficulty with
this proposal is defining what "sufficient steps" are;
both the threats to companies, and the information and cyber
security industry, change at a significant pace, and there are
often conflicting guidance and views as to what steps should be
taken to secure information. If the proposals in the Report are
taken forward, there will need to be a careful review by companies
of information flow in relation to information and cyber security,
and training given to (already very busy) CEOs so that they understand what questions to
ask of the business, and also the answers that they get. While the
Report's aim is that CEOs should
ultimately be responsible for successful cyber attacks, it
isn't clear to us that the approach proposed in the Report is
the right one.
The Report also proposes that the ICO
should impose a sliding scale of fines based on the lack of
attention to threats and vulnerabilities which have led to previous
breaches. One can see the scope for argument about whether a
vulnerability is well known, and what precisely led to a breach. As
a principle to encourage improvements to security, this is to be
welcomed, although it seems that this is an explicit statement of
what has been happening to some extent in any event.
Finally, the Report expresses clear support for breach response
planning, stating that "the person responsible for
cyber-security should be fully supported in organising realistic
incident management plans and exercises, including planned
communications with customers and those who might be
affected..." As with any crisis management situation, planning
is critical. In our experience, organisations that have effective
breach response plans and test them regularly are in a much better
position to deal cost-effectively with a breach than those who
don't. In the current world, every company will have a breach
(and probably many more than one) at some point during its life;
what will differentiate companies is how they deal with them.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).