On 20 June 2016, the House of Commons' Culture, Media and Sport Committee released its report Cyber Security: Protection of Personal Data Online. The report is based on the House of Commons' inquiry into last October's cyber-security breach at telecommunications and internet service provider TalkTalk, but is firmly aimed at a broader audience, including pension scheme trustees, providers and administrators.
The report's recommendations have the potential to significantly change expectations around cyber-security, incident response and breach action in the months and years to come and demonstrate that the legal and regulatory trajectory is inexorably towards more complaints, disputes and significant fines for compliance failures. The Information Commissioner's Office, the UK data protection regulator, appears to support most of the recommendations, so it is likely that it will treat them as best practice. It is also possible that it will go further, so as to essentially treat some or all of the recommendations as technical and organisational measures that data protection law requires data controllers, such as pension scheme trustees and providers, to implement to ensure the security and confidentiality of personal data.
The report provides a reminder to scheme trustees and providers that they should be assessing and, if required, improving their policies, processes, people and the technologies they have in place to defend their systems and data from cyber as well as other data security threats. Equally, they need to assess their response procedures to incidents and breaches. The TalkTalk matter (as well as others before it), showcases how a transparent, robust and rehearsed Incident Response Plan, with clear reporting and accountability lines, together with established positions on breach notification, is the centrepiece of cyber and data security incident response readiness.
The report's key recommendations include:
- Raising awareness of how data controllers will contact customers and how they can verify communications are genuine.
- Security by design must be a core principle of new systems and apps and staff training.
- Organisations holding large amounts of personal data should report annually to the ICO on cyber security issues and be encouraged to include this information in their own annual accounts to help give confidence that they take security seriously and have effective processes in place.
- Publishing investigation reports into serious cyber/data security breaches, subject to commercial confidence considerations.
- Linking CEO compensation to effective cyber-security.