On 20 June 2016, the House of Commons' Culture, Media and
Sport Committee released its report
Cyber Security: Protection of Personal Data Online. The
report is based on the House of Commons' inquiry into last
October's cyber-security breach at telecommunications and
internet service provider TalkTalk, but is firmly aimed at a
broader audience, including pension scheme trustees, providers and
The report's recommendations have the potential to
significantly change expectations around cyber-security, incident
response and breach action in the months and years to come and
demonstrate that the legal and regulatory trajectory is inexorably
towards more complaints, disputes and significant fines for
compliance failures. The Information Commissioner's
Office, the UK data protection regulator, appears to support most
of the recommendations, so it is likely that it will treat them as
best practice. It is also possible that it will go further,
so as to essentially treat some or all of the recommendations as
technical and organisational measures that data protection law
requires data controllers, such as pension scheme trustees and
providers, to implement to ensure the security and confidentiality
of personal data.
The report provides a reminder to scheme trustees and providers
that they should be assessing and, if required, improving their
policies, processes, people and the technologies they have in place
to defend their systems and data from cyber as well as other data
security threats. Equally, they need to assess their response
procedures to incidents and breaches. The TalkTalk matter (as well
as others before it), showcases how a transparent, robust and
rehearsed Incident Response Plan, with clear reporting and
accountability lines, together with established positions on breach
notification, is the centrepiece of cyber and data security
incident response readiness.
The report's key recommendations include:
Raising awareness of how data controllers will contact
customers and how they can verify communications are
Security by design must be a core principle of new systems and
apps and staff training.
Organisations holding large amounts of personal data should
report annually to the ICO on cyber security issues and be
encouraged to include this information in their own annual accounts
to help give confidence that they take security seriously and have
effective processes in place.
Publishing investigation reports into serious cyber/data
security breaches, subject to commercial confidence
Linking CEO compensation to effective cyber-security.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In SSE Generation Limited v Hochtief Solutions AG and another decided on 21st December 2016, the Court of Session in Scotland considered a contractor's potential design liability under the NEC Form of Contract.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).