UK Parliamentary Committee Recommends Penalizing CEOs for Cyber Breach
By Daniel L. Farris
The effects of last year’s data breach at UK Telecom, TalkTalk, may be farther reaching than the one million customers whose data was compromised. The UK Parliament's Culture, Media and Sports Committee – which opened an inquiry into the circumstances surrounding the breach last November – made recommendations Monday to significantly enhance penalties for both companies and chief executives who fail to prepare for, timely report, or learn from data breaches, including tying CEO compensation to the effectiveness of their companies’ cybersecurity programs.
Although the Committee also recommended stronger penalties for cyber criminals, it was the decision to target executive compensation which raised eyebrows. "Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment," Committee Chairman Jesse Norman said in a statement. "Failure to prepare for or learn from cyber attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent."
The Committee report includes proposals to strengthen sanctions available to the Information Commissioner’s Office (“ICO”), England’s data protection regulator. Although the ICO may already levy fines of up to £500,000, the Committee felt the maximum penalty “may not be a significant deterrent for a large company.” Instead, the Committee advocates for fines that grow in severity where a breach is triggered by certain factors, such as a company's lack of attention to threats and vulnerabilities, particularly those which have led to previous breaches, or a company’s failure to implement security by design principles to combat cyber risks. The Committee also recommended that executives should be required to take a more active role in cybersecurity initiatives, and that companies with significant consumer data should be required to report annually on their cybersecurity and data protection programs.
In focusing on a CEO’s role in cyber preparedness, the Committee noted that operational and technical implementation of cyber programs generally lies with a CIO, CISO, or Privacy Officer, but “ultimate responsibility” stays with the organization’s CEO. Accordingly, the Committee endorsed a system wherein CEO compensation is linked to cybersecurity program effectiveness, to “ensure this issue receives sufficient CEO attention before a crisis strikes.”
The recommendations are striking given the Committee’s acknowledgement that “TalkTalk responded quickly and well to this attack.” Instead, the Committee used the TalkTalk inquiry to more generally consider the rules for protecting consumer data, the role of encryption, and damages available to consumers who have been victims of data breach. According to the committee, 90 percent of large companies have experienced a security breach, and 25 percent experience a cyber breach at least once a month.
"As the TalkTalk case shows, the reality is that cyber attacks are a constant, evolving threat," Norman said. Even though TalkTalk responded appropriately to the breach in question, it “appear[ed] to have been much less effective in the past, failing to learn from repeated breaches of different kinds." The Committee’s language is chilling, as it suggests that any inquiry into a breach – even one in which a company responds properly – may open the door for a comprehensive retroactive analysis of historic privacy and data security initiatives within the organization.
For companies striving to implement robust cybersecurity programs and comply with evolving regulations, this report should serve, as the Committee put it, “as a wake-up call.” With the General Data Protection Regulation (“GDPR”) slated to go into effect in 2018, companies should expect to see many EU member states taking affirmative steps to strengthen privacy and data security laws now. Once in effect, the GDPR will give Data Protection Authorities the ability to fine companies as much as four percent of global turnover or €20 million for privacy violations, such as failing to report breaches within 72 hours.
For assistance in understanding how the Committee Recommendation, Privacy Shield, or GDPR may affect your company, auditing privacy and data security compliance programs, drafting model agreements, or preparing Binding Corporate Rules, please contact the author or a Polsinelli Privacy and Data Security Team member.