After telecom and internet service provider, TalkTalk, suffered its third cyber-attack this year, the Government has launched an inquiry into cyber security. The most recent hack, on 21 October, involved customer details being stolen through its website. TalkTalk has confirmed that up to 1.2 million email addresses, names and phone numbers, around 28,000 card details, 21,000 bank account details and 15,000 dates of birth were accessed.
The company has repeatedly stressed that it is the victim of a crime rather than guilty of negligence. However, it has faced repeated calls for compensation and to allow customers to end their contracts early. In a recent interview, TalkTalk’s Chief Executive revealed, “the estimated one-off costs are between £30m and £35m, that’s covering the response to the incident, the incremental calls into our call centres, obviously the additional IT and technology costs, and then the fact that our online sales sites have been down, so there will be lost revenue as a result”.
With the development of new technology, the ethical implications of data use are more of a concern than ever before. A recent survey by the European Commission found that two-thirds of Europeans are worried about not having complete control over the information they publish online.
The European Data Protection Supervisor (EDPS), an independent supervisory authority that monitors the processing of personal data by EU institutions, recently set out plans to create a data protection Ethics Board to help better assess how personal information is defined and used in a technological context, aiming to balance the benefits of technology without compromising the rights and freedoms of individuals.
The EDPS has urged the EU to put in place simpler rules for handling personal information. New EU data protection laws are currently under negotiation that would be likely to introduce an obligation on all businesses to report personal data breaches to regulators and affected individuals. At present only certain sectors, such as telecoms, are required to report data breaches. However, the new rules would require organisations to notify the authorities of breaches that are “likely to result in a high risk for the rights and freedoms of individuals”, such as identity theft or financial loss. Notification would need to be made “without undue delay” and, where feasible, within 72 hours of the organisation becoming aware of the breach. The reforms also promise to introduce much harsher financial penalties for data security failings.
The costly repercussions for TalkTalk following this latest breach of its security are a good reminder of the importance of ensuring that arrangements with service providers should adequately protect users and apportion liability for failings appropriately. No doubt TalkTalk will be looking very carefully at its contracts with its own service providers in order to determine who is on the hook for its losses.
If you would like to discuss any of the issues raised in this blog, please contact our Corporate Commercial team.