The Culture Media and Sport Committee have published their latest report Cyber Security: Protection of Personal Data Online.
The report comes off the back of their inquiry into the TalkTalk hacking breach of 2015 but goes much further than solely looking at that one incident.
The report’s findings make for some fascinating reading and we welcome many of the Committee’s recommendations. In particular, their support for the introduction of custodial sentences for the most serious of data breaches, something we have long called for.
As you read through the report you learn that 90% of large organisations have experienced a security breach. 43% of them were caused by employees, contractors and third party suppliers working directly to the company and half of those were not an accident.
These figures show that, whether we like it or not, there is a real problem with data being misused, abused, hacked, stolen and sold on intentionally by workers and employees. Data breaches are not just the work of invisible hackers hiding on the dark web as we are so often led to believe. With this evidence to hand, the support from the committee for a tougher approach to punishing these breaches is welcome.
We hope that the Government pay attention to this report, to the calls by the ICO and by us and bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008 sooner rather than later. This move would allow the handing down of custodial sentences of 2 years for people who are found to have unlawfully obtained or sold on personal data. This move, alongside the possibility of eye watering fines which will become law under the General Data Protection Act set to come in in 2018, will go some way to establishing a serious and sensible stance from Government towards data protection by business.
It is worth noting that the report highlights that Government is currently some way off taking cyber security, data breaches and threats to data seriously. The Government’s often lauded Cyber Essentials Scheme which was established in 2014 to help businesses create strong cyber security comes in for a great deal of criticism in evidence to the Committee. The British Business Federation Authority said it “provides a false sense of security” whilst the Committee themselves describe it as a “good checklist”, hardly robust support. The revelation that the advice the scheme offers hasn’t been updated since it was established two years is worrying to say the least.
Further concerns about the protection of data in a society which it is noted is becoming “digital by default” are stressed at the end of the report by the Information Commissioner. His evidence to the Committee emphasised strong concern about the Investigatory Powers Bill when he defined it as “a “haystack of potential problems” given the huge pools of personal data that it would create”. We wholeheartedly support this concern particularly in relation to the creation of Internet Connection Records which will be held by companies such as TalkTalk but also in a Government created and monitored Request Filter of which there is still very little actual detail.
With the Committee emphasising “security by design” as a “core principle” we hope that all elements of Government acknowledge that National Security it critical but that it needs to be balanced alongside critical protections for cyber security. We cannot hide from cyber threats. Vulnerabilities to our data will be a battleground all of us will have to fight and attempt to protect ourselves from. The USA are leaps and bounds ahead of us in realising this, indeed the former Director of the NSA and Director of the CIA Michael Hayden recently noted that the CIA considers cyberattacks the number one threat to US security, he went on to say in an interview that “this may be a case where we’ve got to give up some things in law enforcement and even counter terrorism in order to preserve this aspect, our cyber security”. We must therefore be careful that we don’t find ourselves passing laws which create weaknesses in systems; either by impacting encryption, requiring companies to build systems or by establishing new centralised data pools may inadvertently create more problems than they will solve.
The publication of this report is timely, the work of the Committee, their recommendations and the evidence which they received point out vast looming concerns which will require serious consideration. Let’s hope that other departments outside of Culture Media and Sport take note.
You can read the report here http://www.publications.parliament.uk/pa/cm201617/cmselect/cmcumeds/148/148.pdf