Tag Archives: Information Commissioner’s Office

Will TalkTalk be held to account for cyber-attack?

It’s good to Talk, but it would be even better if you could do so and know your personal data is secure. (Image c/o on Flickr.)

The following article was contributed by Tim Turner, trainer & consultant on Data Protection, FOI, PECR and information rights.

“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.”

Donald Rumsfeld’s comment on the fact that sometimes we don’t know what we don’t know is notorious for its lack of clarity, but it is a very helpful summary of most massive data protection or security incidents. Take the recent TalkTalk debacle, in which the telco’s website was hacked, and a quantity of personal data was accessed and presumably stolen. We don’t actually know much more than that: we don’t know how the hack happened, we don’t know for certain who committed the act, we don’t know how much data has been stolen and most importantly, we definitely don’t know whether any laws have been breached.

There is a lot to keep an eye on. TalkTalk’s hastily assembled FAQs was emphatic that the Data Protection Act has not been breached by this incident, and the company has generally been at pains to hashtag every tweet with #cyberattack, painting itself as the victim. Meanwhile the company’s Chief Executive Dido Harding’s headlong rush into every available TV studio has impressed some with her frank admission that TalkTalk could have done more to protect customer data, but thrown the ‘no breach claim’ into doubt.

Data Protection law is built on eight principles, and the seventh principle requires that organisations put in place “appropriate” levels of technical and organisational security. The fact that whoever hacked the TalkTalk website has committed a crime in doing so does not absolve TalkTalk of responsibility. The 7th principle explicitly requires measures to prevent unauthorised and unlawful processing of personal data, so anyone whose website might be the gateway to personal data has to have proactive protections to repel a hacker. Several companies have already fallen foul of the 7th principle and received substantial monetary penalties after falling victim to hackers, including Sony Playstation Online, the British Pregnancy Advisory Service and the travel company Think W3. In each case, a criminally-motivated hacker was assisted by inadequate security and lack of testing.

All sorts of considerations can increase the burden of security. If an organisation is large and more high-profile, if they hold a large amount of personal data, or if a hack might expose sensitive data that might lead to harm, the measures must be progressively more robust. All three of these factors apply to TalkTalk. Harding has claimed that TalkTalk’s security was “head and shoulders” above that of its competitors, and if that can be proved, TalkTalk are off the hook. But with a Chief Executive who has already admitted that their security might have been found wanting, and the arrest of a 15 year old boy in connection with the hack (putting paid to some of the more lurid theories about some kind of Russian / ISIS / Cyber-Jihadi / SPECTRE agent being the perpetrator), presumably we know for certain that the Information Commissioner will act swiftly and decisively to enforce the law?

Well, not quite. Data Protection does not allow for summary justice. The Information Commissioner needs to prove at least on the balance of probabilities that there were appropriate measures to prevent hacking that TalkTalk should have had in place but didn’t. TalkTalk will have to be able to make their case, and the ICO will have to listen. The DP framework allows for the possibility that TalkTalk can be hacked and yet no breach has occurred – the breach is not the incident, but the absence of measures to prevent it.

The omens are nevertheless not auspicious. As well as Harding’s unwise comments, TalkTalk’s track record is troubling. In 2008, the company received an enforcement notice from the ICO, requiring them to stop such basic errors as customers being able to see each others’ records online. Much more recently, TalkTalk’s security was audited by the ICO, and in a break with the normal practice, TalkTalk refused consent for the executive summary to be published (despite other organisations allowing quite negative summaries to go online).

The most important thing that we do know is that the TalkTalk hack does not just put the company in the frame. The Information Commissioner is better at enforcing on security matters than nearly any other aspect of Data Protection but their appetite for taking on large organisations is inconsistent: there may be £250,000 penalties for Sony, but until recently, only unenforceable undertakings on a largely unrepentant Google. Many activists can recall big Data Protection scandals like press misuse of private data (which the ICO discovered but did not tackle) or secret trials of the Phorm internet tracking software (which some suspect went unpunished because the trails were carried out by BT). If the ICO fails to act, it will need an extremely persuasive justification to calm the outrage that will likely follow, and we simply don’t know if such an explanation exists, whatever the law says.

Ten years of freedom of information – what does the future hold?

Image c/o v1ctory_1s_m1ne on Flickr.

To celebrate 10 years of the Freedom of Information Act, Bilal Ghafoor (FOI Kid) reflects on its impact and ponders what the future holds for this important Act of parliament.

If you go onto the website or read the official publications of any government department, local council, NHS organisation, the one thing that almost all of the information will have in common is that it has been volunteered. And while the communications and press teams in many organisations do a great job, ultimately they are a prism through which an organisation shines out what light it wishes to. Most press releases or official statements do not contain raw data. Most organisations do not publish email trails that they are even slightly uncomfortable about.

The Freedom of Information Act 2000 came into force on 1 January 2005 and it has, in the words of the Justice Select Committee, which undertook a post legislative review of the Act, been “a significant enhancement of our democracy.”[1] However, it went on to note that “we are not surprised that the unrealistic secondary expectation that the Act would increase public confidence in Government and Parliament has not been met.”[2] This was, after all, while the fire of the MPs’ expenses scandal was still smouldering.

I continue to be struck by an observation I heard when I attended a Request Initiative event on FOI that all the complaints about the burden of FOI are irrelevant – public authorities hire FOI officers and spend money not on releasing information but on withholding it. Aside from personal data, which must be guarded, there is more truth to this idea than I would like.

I remember when I worked in FOI in a central government department, a Labour Secretary of State visited us. The first thing he did was apologise to us for bringing in the Act. It was not just Tony Blair who later thought it foolish. We in the FOI team (it seemed to be the natural home of a couple of a Marxists who had somehow joined the civil service), thought it to be utterly bizarre. How was it not a good thing (and not just because it kept us in employment)?

It is our tax, it is our society, these institutions are ours, the work they do belongs to us. It almost seems like a naïve assertion, but perhaps that is because it is so true. If we live in a democracy.

But there are dangers. The FOI Act, which was heroically worked on by the Campaign for Freedom of Information (which just celebrated its 30th birthday party – 20 years older than the legislation itself), came into force over a long period of time and the dangers are similarly slow but sure.

The Government’s response to the post legislative review[3] highlighted that it wanted allow organisations to refuse multiple requests from the same person or organisation. At first glance, this might be ok – why should one person be allowed to harass an organisation with lots of requests? But what about a local newspaper wanting to make lots of requests to local organisations? How is a local newspaper  supposed to survive on being able to make only a small number of requests in any one year to the local council?

There is a suggestion that ‘thinking time’ be included in cost limits for responding to a FOI. This means that any request of a new kind or for new types of information or invoking a new exemption will start to breach the cost limits and be refused. This encourages organisations to hire non-specialists. Or to copy in 15 members of staff into emails about FOI requests and to count thinking time 15 times over.

The chronic under-funding of the Information Commissioner’s Office (ICO) is another terrible problem. While the ICO’s basic stance seems to be to advocate the release of information and accessibility for all, in the latest triennial review of the ICO, its own submission to the Ministry of Justice[4] proposed a charge for requestors wanting to use its services. This would be appalling. But I can see that the ICO is constantly frustrated by its tiny grant in aid (the organisation runs its entire FOI operation for less than many central government department’s communications and spin budgets) and that this proposal is a sign of its desperation.

Application of the Act has become complicated – most ICO decision notices and Tribunal judgments add nuances onto how we should apply exemptions. I love the complication, but I am also very drawn to an idea that was kicked around by others on Twitter that perhaps all of the exemptions should be discarded and everything become subject to a plain public interest test. This would include cost limits – if you ask for a lot of information, if it is in the public interest to provide it, it should be provided. Thanks to relatively recent developments in understanding of ‘vexatious requests’), where a request would be significantly disruptive, the Act allows for a refusal.

The FOI Act is not perfect. But I am still of the generation that compares it to Yes Prime Minister days of secrecy and am thankful to the Campaign for Freedom of Information and other advocates that we can now ask the people who formerly felt like our masters for our own information.

[1] Post legislative scrutiny of the Freedom of Information Act 2000 – Justice Committee Para 241, http://www.publications.parliament.uk/pa/cm201213/cmselect/cmjust/96/9602.htm.

[2] ibid

[3] http://www.justice.gov.uk/downloads/publications/policy/moj/gov-resp-justice-comm-foi-act.pdf

[4] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2014/11/ico-response-to-the-ministry-of-justice-s-announcement-of-their-triennial-review-of-the-information-commissioner-s-office/