As if TalkTalk don’t have enough to think about at the moment, the House of Commons yesterday discussed the sanctions available to the Information Commissioner for significant data breaches. Responding to an urgent question on the TalkTalk incident, the Minister for Culture and the Digital Economy (wasn’t that one of Gladstone’s titles once?), Ed Vaizey, made a number of interesting comments.
He mentioned that he understood TalkTalk had reported the breach to the ICO on Thursday 22 October and he expressed delight that the Culture Select Committee would be inquiring into the incident. In response to an SNP question that a maximum £500,000 fine was too small to be “terrifying“, the Minister indicated that the existing monetary penalty regime was significant but that he would discuss with the ICO whether more could be done. Oddly, he did not mention the genuinely terrifyingly large maximum fine proposals under the General Data Protection Regulation (ranging from 5% to 2% of global annual turnover, depending on which draft you read), although he did later state that the Regulation negotiations were “almost at the point of being completed“. He completed the urgent question procedure by suggesting that some sort of kitemark for cyber-security was something he would look into.
Whether or not it is really worth increasing the maximum levels of the monetary penalty notice regime before the new Regulation increases them anyway is a matter for debate. Given that the ICO has only rarely imposed fines at the top of the range, there probably has not been much internal appetite for pushing it higher. But, as we all know, there is nothing like shutting the stable door after the unencrypted horse has been ridden away by a 15 year old from County Antrim (allegedly).
Anyone wishing to read the debate (which does not contain very much by way of careful consideration of data protection law but a good deal by way of assumption that TalkTalk should be hung, drawn and quartered) can do on Hansard here.