June 27, 2016

The Culture, Media and Sport Committee has published a report on its recent inquiry into cyber security recommending a new custodial sentence of up to two years for those convicted of unlawfully obtaining and selling personal data.  It has also said that the Information Commissioner’s Office should have a robust system of escalating fines at its disposal to sanction those who fail to report, prepare for or learn from data breaches.

The Committee warns that the problem of cyber crime is “significant, growing, and affects all sectors”.  Ninety per cent of large organisations have reportedly experienced a security breach and 25% of companies experience a cyber breach at least once a month.

The public sector fares no better, the report says: the latest research from the ICO shows that the health sector has the most data breaches, followed by local government.  Further, not all threats to cyber security or data protection are from external actors: over 40% are caused by employees, contractors and third party suppliers, and half of these are accidental.

The Committee looked at strengthening consumer rights and awareness of scams and suggested a series of new requirements for company directors and chief executives to assist this, including:

• companies should report their cyber security and data protection strategies to the ICO;
• companies should include cyber security and data protection strategies in their annual reports;
• CEOs should lead a crisis response if a major attack occurs, but cyber security should be the responsibility of a specific individual who can be held accountable if the company has not taken sufficient steps to protect itself from a cyber-attack; and
• a portion of CEO remuneration should be linked to effective cyber security.

The Committee also made the following recommendations:

• companies should make it much easier to verify if communications, whether online or by telephone, are genuine. The ICO’s system of sanctions should include fines for companies that fail to do this;
• it should be easier for victims of a data breach to claim compensation;
• it is not enough for companies to say they were not aware. Breaches are common, and all companies need to plan and test for that eventuality;
• companies need to demonstrate they have identified and addressed the weaknesses that have led to any data breaches;
• the vulnerability of the new data pools that will be created by the Investigatory Powers Bill needs to be “urgently addressed by Government”;
• good cyber practice will need to evolve and develop: this is essential to maintain consumer confidence and Britain’s place as the top internet economy in the G20; and
• the Government should run a public awareness campaign on online and telephone scams on the same level as its campaign to promote smoke alarm testing.

To access the report, click here.