UK Organizations Could Face Huge Fines for Poor Cyber Security
Organizations offering essential services in the energy, transport, water, health and digital infrastructure sector play a vital role in our society. Loss of service as a result of an essential organization’s failure to implement effective cyber security measures affects not only the organization itself but the society as a whole.
For this reason, the UK Government proposes that an essential organization that fails to implement effective cyber security measures could be fined as much as £17 million or 4% of its annual global turnover, whichever is higher. The UK Government also proposes similar penalties for loss of data as a result of failure to implement effective cyber security measures.
Under the UK Government’s proposal, organizations are required to do the following:
UK Minister for Digital Matt Hancock said in a statement that the fines would be applied as a last resort. Hancock said that fines won’t apply to organizations that have taken appropriate cyber security measures but still suffered an attack.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards,” UK Minister for Digital said.
EU Cyber Laws
The proposal of the UK Government to subject organizations with huge fines for loss of service and loss of data is in line with 2 of EU’s cyber security laws: 1) Security of Network and Information Systems (NIS) Directive; and 2) General Data Protection Regulations (GDPR).
The NIS Directive was adopted by the European Parliament on 6 July 2016. EU’s member states have until 9 May 2018 to adopt the directive into domestic legislation. A few days after the directive was passed by the European Parliament – specifically on 23 June 2016 – the people in the UK voted to leave the European Union.
“Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force,” the UK Government said in the document called “NIS Directive: pre-consultation impact assessment” (PDF). “It is the UK Government’s intention that on exit from the European Union this legislation [NIS Directive] will continue to apply in the UK.”
The NIS Directive specifically requires operators of essential services (energy, transport, banking, financial market infrastructures, health, water and digital infrastructure), whether private or public entities, to take the following appropriate cyber security measures:
General Data Protection Regulations (GDPR)
The GDPR was adopted by the European Parliament a few months before the adoption of the NIS Directive in April 2016. Unlike the NIS Directive, the GDPR doesn’t need an enabling legislation from EU member states. This means that this particular EU law will take effect after a two-year transition period, specifically it’ll be in force in May 2018 in all of EU member states.
When the GDPR takes effect in May 2018, organizations in all of EU member states can be fined a maximum €20 million or 4% of annual global turnover, whichever is bigger, for data breach.
The difference between the NIS Directive and the GDPR, according to UK Minister for Digital Matt Hancock, is that the NIS Directive relates to loss of service, while loss of data falls under the GDPR.
According to the “NIS Directive: pre-consultation impact assessment” document, the UK Government said that the GDPR will replace UK’s existing Data Protection Act in May 2018. “It is expected that the GDPR will bring about an improvement to organisations security measures to protect personal data due to the significant fines that can be given for data breaches, and also because guidance will be provided on the level of security required to comply with the regulation,” the UK Government said.
Companies Penalized under UK’s Data Protection Act for Poor Cyber Security
On 5 October 2016, UK’s Information Commissioner’s Office (ICO) issued telecom company TalkTalk a £400,000 fine for cyber security failings that allowed a cyber attacker to access the company’s customer data “with ease”.
The data breach on TalkTalk, which happened between 15 and 21 October 2015 accessed the personal data of 156,959 customers including their names, dates of birth, addresses, phone numbers and email addresses. The TalkTalk attacker was also able to access 15,656 bank account details and sort codes.
The ICO – UK government body that has the power under the Data Protection Act to impose a monetary penalty of up to £500,000 on a UK company for data breach – found that the TalkTalk attacker used a common technique known as SQL injection to access the data. “SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data,” the ICO investigation found.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations,” ICO Commissioner Elizabeth Denham said. “TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
On 27 June 2017, Berkshire-based Boomerang Video Ltd was fined £60,000 by the ICO for failing to take basic steps to stop its website from being attacked. The video game rental firm’s website was attacked in 2014 in which 26,331 customer details could be accessed. Similar to the TalkTalk attack, the attacker used the SQL injection to access the data.