The 17-year-old boy whose cyber attack has reportedly cost TalkTalk £42 million has pleaded guilty today to offences under the Computer Misuse Act. TalkTalk itself was fined a record £400,000 for data security failings, but new legislation coming into force in May 2018 could have put the fine in the region of £70 million! If that isn't an incentive to make sure your approach to data security is up to scratch, I don't know what is.
The General Data Protection Regulation will replace the Data Protection Act in 2018 and will set the standard for data protection law even after we leave the EU. The GDPR is tough, with new powers for data regulators, much stricter operating boundaries for businesses that process personally identifiable information about individuals and the maximum level of fine for non-compliance increasing from £500,000 to the greater of 4% of global turnover or €20 million!
The Information Commissioner commented that the “underlying reality on which the policy is based has not changed” so we can expect to see any new legislation brought in by the UK Government to be equally as stringent.
Now is the time for businesses to make sure that they understand the changes that the GDPR will make and where/how they need to improve compliance.
Around 157,000 people’s personal data was stolen in the hack, including details such as bank account numbers and addresses, while the company was later forced to admit it had not encrypted some customers’ personal details. An investigation by the Information Commissioner’s Office found that TalkTalk’s “failure to implement the most basic cyber security measures allowed hackers to penetrate [the company’s] systems with ease”. It added that in 15,656 cases, people’s bank account details and sort codes had been accessed.