TalkTalk seems to have been compromised yet again (despite being warned) with an unspecified number of customer records being put at risk and all we get from the company is sorry, relayed by a CEO who seems completely out of her depth with even the basics of computing

Coupled with this is a fake concern whilst at the same time off-loading responsibility for TalkTalk’s abject failures back onto their customers – with phrases such as: just monitor your bank accounts against any unauthorised intrusion as a result of our mistakes

Quite frankly TalkTalk are currently in stall / cover-up mode because they really don’t have a clue how many customers have been affected or the long term implications of their negligence and there is really no way they can quantify the numbers involved in this breach. Therefore one must assume that their entire customer base is at risk!

Furthermore, to all accounts, we are being told that much of the data was not encrypted in the first place – which is a fundamental howler that should be severely penalised - and the best the CEO can come up with is that it is not a legal requirement. Oh well! that's ok then!

Make no mistake the ICO has a guilty part to play in all this as does the actual DPA – which is abused almost every day by any organisation one contacts. Even if you ask them the time the reply is generally we cannot tell you because of the DPA; an answer that is borne of complete ignorance of the law and perpetrated by just about every organisation one speaks to because it suites them to take this stance with their customers – for their own ends

This is all very well, but surely it is about time we put a proper price on failure so that companies take more care in the future. After all TalkTalk are now busy off-loading the responsibility for monitoring compromised information back onto their customers – with the inevitable hand wringing and statements about change your password, watch out for targeting by scams etc.

The full impact of this breach may not be known by individuals for months or even years and in the meantime companies like TalkTalk simply walk away from the situation unscathed

Why on earth does a Data Protection Act exist except to guard against this type of eventuality and in order to do this they need to have a proper method of penalising companies that do not handle customer personal details securely

Unfortunately the present position of a block fine seems to be the best sanction/penalty on offer

‘.. In April 2010, the ICO was granted the power to issue fines of up to £500,000 for serious DPA breaches ..’

Now to put this in context let us just assume that TalkTalk has compromised 4 million customers and receive the maximum fine of £500,000 – this means that your personal data as a customer is valued by the ICO at 12.5 pence when in fact your data could probably be sold to hackers for far more than that on the open market. Therefore a  fine of £500,000 is simply  ‘chicken feed’ in the overall scheme of things!

No wonder all these companies are so cavalier with your information because the ICO penalties are so weak that there is simply no incentive for a company such as TalkTalk to exercise a duty of care. After all, even the fine is probably tax deductible so just pay the fine, don’t change their ways and carry on as normal regarding the DPA fines as one of the prices of doing business – wholly wrong!

Well this is not good enough – especially as the maximum fine is per company breach and NOT PER COMPROMISED RECORD

The fines should be on the basis of each hacked record and if the company cannot quantify the extent of the breach then the default it should be on the basis of their entire customer base

One also needs to take account of the potential costs to the customer if compromised, and 12 pence nowhere near meets the expenses involved trying to mitigate the impact or worse still dealing with a raid on their bank account

With all this in mind I suggest one starts with a fine per customer record and not a block fine for the company

The level at which this fine should be levied must be set at an amount that the takes account of the costs incurred by a ‘normal’ customer in taking protective measures when informed their data has been compromised and in this respect a suggested starting figure of £10.00 per customer record for the first company offence rising to £100 per record for repeat offences

The figures now change to a far more respectable penalty for TalkTalk – 4 million customers @ £10.00 each = £40 million fine, which is a far more realistic consumer cost associated with their failure(s) and would undoubtedly be a wake-up call for them to take matters far more seriously

… and for goodness sake let’s stop having these so called X_Spurts (x = unknown quantity & spurt= a drip under pressure) in the media giving bindingly obvious comments because they need to say something and are just as much in the dark as everyone else

Alternatively repeal the DPA because laws without proper sanctions are worthless - over to the ICO to change their penalties – when can we expect these fines to become more realistic?

By the way - from what sparse information is available one would lay odds that the hack was probably via SQL Injection – perhaps TalkTalk should look this up because they are obviously totally in the dark about the whole area

Tags: | Categories: Computers