For the second time in less than a year, the United Kingdom’s data security regulator has fined one of the nation’s largest telecom companies for failing to protect customer data. The fine, and strongly worded comments from Information Commissioner Elizabeth Denham, should be a fresh wakeup call to all companies that gather and curate information about their customers.
Consumers and regulators are holding breached companies accountable when they feel the organizations have failed to adequately address cybersecurity.
After a three-year investigation, the U.K.’s Information Commissioner’s Office levied a £100,000 fine against TalkTalk Telecom Group PLC in early August, charging that the company “failed to look after its customers’ data.” Its actions placed personal information of 21,000 customers at risk of “falling into the hands of scammers and fraudsters,” the office said. In October 2016, the ICO fined TalkTalk £400,000 for a 2015 cyberattack that exposed the personal data of nearly 157,000 customers. At the time, ICO said TalkTalk could have prevented the attack by taking basic security steps.
The maximum fine the ICO can impose is £500,000.
In both cases, Denham spoke strongly about the company’s culpability.
“Yes, hacking is wrong,” she said last year. “But that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information.”
In announcing the most recent fine, Denham said: “TalkTalk should have known better and they should have put their customers first.”
Without question, cyberattacks are becoming more common, frequent, sophisticated and far-reaching. From the rise of nation-state ransomware attacks that affect innocent organizations and consumers, to increasingly successful spear-phishing attacks, organizations face ever-escalating threats to their networks, systems and customer data.
At the same time, the public is increasingly aware of the impact of a data breach and identity theft risks. Regulators and courts are paying attention too; companies face mounting risks of litigation or regulatory action — as well as customer outrage and reputational damages — when a cybersecurity incident occurs.
TalkTalk says it took action in relation to the most recent fine, notifying customers and the ICO when the company discovered the breach, investigating the incident and dropping the third-party vendor through whom the breach occurred. “We continue to take our customers’ data and privacy incredibly seriously,” the company said in a statement published in The Guardian.
In fact, a majority of companies do have data breach response plans in place, Ponemon Institute reported in the Fourth Annual Data Breach Preparedness study. Eighty-six percent of the companies surveyed said they had a data breach plan in place, but just 42 percent felt their plan would be effective. What’s more, only 27 percent were confident they would be able to minimize the financial and reputational impact of a data breach.
What companies must do
An up-to-date, field-tested and audited data breach response plan is an essential step in defending against the impact of a data breach or other cybersecurity event — but on its own, it’s not enough. Companies must also take steps to bolster cybersecurity and protect customers, including:
- Keep software and hardware systems up-to-date. The U.K.’s National Health Service was one of the biggest victims of the WannaCry ransomware attack earlier this year, despite repeated warnings from security experts that the agency needed to upgrade its systems to be more secure. The ICO has repeatedly said TalkTalk could have prevented the breaches for which it was fined.
- Vet the cybersecurity strength of third-party vendors. The breach that resulted in a £100,000 fine for TalkTalk occurred when employees of a customer service vendor outside the country accessed customer data through a TalkTalk portal. If your company works with vendors who will have access to and use of customer data, be sure to assess their cybersecurity measures as strictly as you would your own.
- Prepare to care for breached consumers. When a cybersecurity event occurs, how you care for affected customers will directly affect your ability to retain their business and mitigate reputational damages. According to Ponemon’s report “Mega Data Breach: Consumer Sentiment,” 63 percent of consumers believe a breached organization should offer free identity protection to affected customers. In addition to a robust customer service team trained to address customers’ data breach concerns, companies should consider offering comprehensive identity theft protection services to customers affected by a material data breach.
Companies should take to heart Denham’s assertion that the 2016 TalkTalk fine should “act as a warning to others that cybersecurity is not an IT issue, it is a boardroom issue.”
“Companies must be diligent and vigilant,” she said. “They must do this not only because they have a duty under the law, but because they have a duty to their customers.”