Is it time for the ICO to Implement the 2016 CMS Cybersecurity Select Committee Reporting Recommendations?
The MoU between the ICO and NCSC reported as? UK businesses could escape data breach fines if they engage with NCSC over cyber incidents? opens the possibility that the ICO might look again at the recommendations for him in Section 7 of the 2016 CMS Select Committee Report: Cybersecurity: Protection of? Personal Data Online? , including to treat more leniently those who had reported what they were doing to reduce the likelihood of breaches:
“Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:
?Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened.? Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place. (Para 38)
= = =
Most of the headlines at the time were on the recommendation to jail abusers, not just fine their employers but below is the blog I published at the time (now archived out of sight!)
CMS Select Committee turns Cybersecurity Reporting focus from Breaches to Performance (June 2016)
The press release ? for the Culture Media and Sport Select Committee Cybersecurity report ? headlines the recommendation to jail abusers not just fine their employers.? The change of reporting emphasis from notifying breaches to, inter alia, the processes for enabling customers and staff to check for impersonation, with fines linked to failure to do so, should, however, also change the way boards monitor the performance of their security teams.
The recommendations from the committee, which I have been privileged to serve as specialist advisor, should help turn the corporate priority from data breach notification to enabling staff and customers to report attempts at impersonation, whether or not there is evidence of an actual breach.? Such a change is essential in a world where there may be weeks or months between a breach and its discovery and publicity for a breach will trigger a wave of phishing e-mails and phone calls.
The rules for specialist advisors are strict but I was delighted to be given permission to speak after the report is published, spelling out the implications for those responsible for cyber security, if the recommendations are adopted. In this review I have therefore focused on the sections of the report most relevant to those planning the cyber security activities of their own organizations, as opposed to regulatory or national policy.? I strongly recommend, however, that you read the full report. ? It is only 21 pages.
Then consider your corporate action plan for when, not if, the recommendations become law. ?
My own recommendations to any Board that asks me for an elevator pitch would include:
The background to the enquiry (Para 5 – 10)
The enquiry was triggered by what happened immediately after Talk Talk decided to go high profile after an attack. The evidence showed this was the tip of an iceberg. More-over calls for faster, “better” data breach notification have come to be part of the problem, not the solution. There is a real risk that the focus on breach notification helps phishermen and would-be fraudsters more than potential victims. This is particularly so given that the Information Commissioners office is snowed under with incidents: over 200,000 a year with only 30 staff to respond, handling about 1,000 of the most serious cases at any given time.
Attack and Response
The committee found a need for a step change in customer awareness and education, not just a Government campaign but that: “All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine.? This verification mechanism should be clearly signposted and readily accessible, as with existing customer contact and complaints mechanisms.” (Para 14)
[Those with long memories might say that the e-Commerce Directive mandates such information from all trading on-one within the European Union. One of my personal concerns has been the failure, until very recently, to talk seriously about enforcement. It helps that the FCC has pulled the rug from under the position of some of the dominant lobbyists in Brussels .]
Then came some recommendations regarding the very tricky issue of responsibility for handling major incidents within large organisations (Para 16) before a very polite bombshell:
“We were also surprised that there is no requirement to make security a major consideration in the design of new IT systems and apps.? We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary.” (Para 18)
Those in the industry will know that BCS and IET have finally been able to agree to mandate security components in the agree courses they mandate but the new rules will not come into force until 2017. They will therefore only apply to those graduating from 2020 onwards. Hence the importance of the London Cyber Security Skills partnership on which I blogged recently - including to re-educate all those “Digital Marketing” specialists producing the egregiously leaky “apps” harvesting data from the smart phones of the younger generation.
After summarizing some of the evidence on business continuity exercises and scenario planning and the importance of communication with customers to reduce the risk of spoofing, the Committee recommended that “where the risks of attack are significant, the person responsible for cyber security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has an actual breach.” (Para 20).? This will hopefully make life a little less difficult for those in the hot seat.
?Customer compensation
The report considered the vexed question of compensation and made some substantive points before concluding: “We believe it should be easier for consumers to claim compensation if they have been the victim of a data breach. There are a number of entities (for example the Citizens Advice Bureau, ICO and police victim support units) that could in principle provide further advice to consumers on seeking redress through the small claims process.? It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach.? The ICO should assess if adequate redress is being provided by the small claims process.” (Para 25)
The Law Society might be unable to agree an actual “practice note” for its members (the issues are indeed complex) but the attempt to do so should produce material that will make it much easier for its members, including those who work with Citizens Advice and Victim Support, to give practical advice on how to obtain redress.
Cyber essentials, supply chains and other guidance
Many breaches, however, occur along supply chain in suppliers or outsourcing contractors. The committee therefore recommends that “All telecommunications companies and on-line retailers, and other cyber-vulnerable organisations, should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers.” (Para 26).
领英推荐
The committee also received evidence on the need to regularly update government advice and added that “Cyber Essentials should be regularly updated to take account of more recent attacks, including the need for security, incident management and recovery plans and processes for responding to cyber ransom demands.” (Para 30)
I know that many readers have views on the changes needed and look forward to an interesting but constructive debate on what those changes should be.
There follows a section entitled ”The tensions between informing the authorities, criminal investigation and informing those potentially affected”. ?The title says it all. The Committee concluded that there was a need for guidance on how and when to publicly report incidents: “The ICO and Cyber Essentials should publish further guidance on informing the relevant authorities and include best-practice examples of how to inform in an appropriate way those affected, in order to strike the best possible balance between protecting information that is sensitive to police investigations, whilst recognising consumer/customer requirements to be made aware of a breach that may affect them. This is particularly relevant as the EU GDPR will extend the obligation to inform consumers to all companies and organisations, not just telecommunications companies and ISPs.” (Para 33)
I have great sympathy for those who may be tasked with producing that guidance. I can fully understand why it does not exist. That does not, however, remove the need.
The role of the information Commissioner
In Para 18 the committee suggested the Commissioner “introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches.”. This will hopefully ratchet up the pressure on the relevant professional bodies to ensure that their members know how to address these. In Para 34 the committee ?adds ?“an incentive structure that inhibits delays, for example escalating fines for delays in reporting a breach.” and “scope to levy higher fines if the organisation has not already provided guidance to all customers on how to verify communications.”
The report discusses the impact of escalating the sizes of fine, including when the GDPR comes into force (if we do not Brexit) and makes the important point that “the attention of individuals within the organisation may be better engaged by the threat of a custodial sentence, rather than a fine for their employer.” ?(Para 36) The committee then supports “the ICO’s call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data.” (Para 37)
Then come the recommendations referred to at the start of this blog as a Corporate Action plan. I believe these could not only help transform corporate attitudes towards data protection and security but also greatly improve the effectiveness of the actions they take:
“Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:
?Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened.? Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place. (Para 38)
?I very much look forward to seeing those currently planning programmes to brief customers on the impact of the GDPR ? re-writing their scripts. It was clear that the members of the committee know what is needed to catch the attention of main board directors suffering the same information overload as themselves. They also know that such reports will need interpretive guidance from the in-house security teams - but the process should help ensure that security is taken seriously at least once a year by the board, whether or not there have been any serious problems. Among the points I would like to add are:
The general public will, however, need something easier to help them understand who is trustworthy. The committee therefore supported “the ICO’s plan to create a privacy seal, to be launched later this year, which would be awarded to entities which demonstrate good privacy practice and high data protection compliance standards. It would be useful if the privacy seal could also incorporate a traffic light system to help consumers understand which companies are compliant, which are making progress, and which have yet to take the issue seriously.” (Para 39)
Investigatory Powers and Big Data
Finally comes the “haystack of potential problems” that is the Investigatory Powers Bill with the “huge pools of personal data that it would create and their vulnerability to attack and theft leading to personal data breaches”.? In interpreting the recommendation at the end of Para 41, “The vulnerability of additional pooled data is an important concern that needs to be addressed urgently by the Government.? Part of the response could be to require enhanced security requirements and background checks for those with access to large pools of personal data.” it should, however, be remembered that the problems with Big Data go with that already in the hands of the security services or law enforcement.
The Vodafone Survey on which I blogged a few weeks ago came too late to influence the enquiry but it should influence organizations thinking how to respond to the recommendations.
Finally
Do read the full report, you will miss much if you merely read my thoughts above. Also remember that policy is made by those who give evidence and respond to consultations.
The “motto” of this blog, announced in the very first entry back in 2008 is “The silent majority gets what it deserves … ignored”. Don’t be.
?