/ Technology

Where’s the consumer protection when data protection fails?

Data breach

Eight months after TalkTalk’s data breach, the Culture Media and Sport Committee has published findings from its inquiry into cyber security and the protection of personal data.

The Committee heard from a range of experts and businesses, including TalkTalk’s Chief Executive Dido Harding, TechUK and the Information Commissioner on the growing threat of cyber-attacks on all businesses with an online platform or service.

And it seems businesses are found wanting. Worryingly, 90% of large companies have experienced a security breach, with 25% of companies experiencing a cyber-breach at least once a month. So it’s no surprise that consumers are increasingly concerned about data protection and cyber-security.

Data protection

The Institute of Customer Service said that over 1 in 4 people are most concerned that cyber-attacks might compromise their personal information and could result in a financial loss.

And our own research found that of the people we asked, half of them avoid using certain online services, apps and products for fear of being targeted by scammers.

Interestingly the Culture, Media and Sport Committee also received evidence from a number of individuals claiming to have fallen victim to scam calls, having been hounded by nuisance calls since their personal data had been leaked as a result of the data breach.

The problem is that when things go wrong the picture isn’t so rosy. The Committee noted that redress following a data breach is still too difficult.

In order to get compensation for damages, individuals may need to take legal action through a small claims court. This can be a long and costly process with no guarantees of success. But in some circumstances, if you fall victim of a data breach then there’s also no automatic right to terminate your contract early.

Instead when your personal data has been leaked, you’re left exposed to scams and your trust in a company has diminished as a result of a data hack, there’s not always a simple get out clause. Early contract termination is usually at the gift of the company and part of it’s original terms and conditions – often one that you won’t be aware of until it’s too late.

Next steps

So it’s positive that the Committee has acknowledged, interrogated and attempted to address these challenges – it recommended that more support and guidance should be offered to individuals to make a small claim for compensation, and that telecoms and mobile companies should provide clearer terms and conditions on the right to terminate a contract early.

But it still seems like it’s not enough. When there’s an industry-wide problem in facing the threat of cyber-attacks and hacks, why is it that consumers are still the ones facing the costs and consequences?

Comments
Member

The problem for me is that all those companies use your data for financial gain which allows hackers to infiltrate the systems for their own financial gain . Its like MS and Windows while controlling the system using back doors they also allow hackers to get into your computer. MS compensate for that by never ending “updates ” but where is the updates for the telephone industry ? It is worth mentioning that you will not hear about BT being hacked as their security is tight although they would still email you or letter box you with bumf that doesnt constitute BT,s system being hacked . And as termination of contract is still being mentioned carrying over from the last Convo it was made very plain to the public that to transfer to another company without the £30 cease charge when the contract is up the customer must get a MAC address/code to use for no charge to occur this was publicised in the national press so ,it wasnt “hidden away ” in the small print . All you need to do is Call your current provider , yes thats all thats required to obtain one and should be provided in 5 days and don’t cancel your contract as it might take two weeks to transfer , if your contract is still in force you could incur large costs.

Member

Virginmedia is a 0845 number

Member
Nas says:
21 June 2016

I recently became a victim of a scam whilst booking a holiday rental on the Homeaway.co.uk website. My details were compromised whilst making genuine queries about the availability of properties. The way I was scammed only suggests that it was an inside job and my personal details were used in order to advertise a fraudulent listing which met my exact criteria enticing me to book and part with £1700. The company are being very arsy and not giving me an explanation of how this breach happened. They generalised it by saying that sometimes their website does become a victim of a fraudulent listing but this was very rate. That is not the case Homeaway/ owners direct have been having issues with these sort of scams since 2010 and 6 years on they’re security is no better, and they still don’t accept any liability. The government needs to do something about companies like homeaway.co. uk and make them accountable then maybe they’ll take the safety and security of their customers seriously.

Member

The ICO should be taken to task for using woolly words like “reasonable “in their guidance. Companies have to take reasonable steps. What I consider reasonable will be totally different from an IT director, and therein lies the problem.

Security breaches could be almost done away with if companies actually encrypted their data at source. Many hackers aren’t going to want to spend time hacking a system their get get the data from. But I imagine many companies haven’t done this do to the cost of not designing the system properly in the first place.

They could always force companies who have been breached to stop using overseas call centres, many talk talk scam phone calls have come from asian call centres.

Member

“And our own research found that of the people we asked, half of them avoid using certain online services, apps and products for fear of being targeted by scammers.”

Can you provide a link to the research please?

Member

I agree, and I would like to see the basis of the “research” that I believe is often subcontracted. I don’t recall ever having been asked to take part in such research despite being a Which? and Connect member for many years. Which have 40 000 Connect members they could ask – a representative good size sample I would think.

What background information do they present to those surveyed? What questions are asked. I’d like to know. Some survey results come as a surprise: “In our survey of Which? campaign supporters over the weekend, 94% of nearly 30,000 people told us that car manufacturers are not being fair to UK consumers.” for example. Really?? Fair in what respect? I’d need some convincing, but the basis of the research would help.

Making organisations and companies pay when they are negligent in the way they hold and handle data will either result in it being seen as a business expense if it is too low or may incentivise them to invest in better security and discipline if it is pitched at the right level. Public bodies of course needn’t worry because the tax payer will fund it. I guess the problem will be proving negligence.

Member

And how we really stick it to those who deal in personal details … NOT
medconfidential.org/2015/uks-largest-online-pharmacy-fined-130000-for-selling-patients-data-to-scammers/

You really really have to hand it to the ICO
ico.org.uk/media/action-weve-taken/mpns/1433030/pharmacy2u-ltd-monetary-penalty-notice.pdf

The amount paid was probably the reduced £104,000 and the executives get off scot-free. One person, possibly one whose details were sold, lost £16,000 to the Australian scammers.

Member
dieseltaylor says:
23 June 2016

I am faintly disturbed by the difference in emphasis in this article and what appears on the Government site. The requested for jail sentences and a beefed up ICO should be mentioned.

17 June 2016
The Culture, Media and Sport Committee publishes report recommending a new custodial sentence of up to two years for those convicted of unlawfully obtaining and selling personal data. It has also said the Information Commissioner’s Office (ICO) should also have a robust system of escalating fines at its disposal to sanction those who fail to report, prepare for or learn from data breaches.

The Chairman was fairly tough particularly in the last two paragraphs

“Chair’s comment – Jesse Norman MP, Chair of the Committee, said:

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.

As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.

They should now publish as much of the PWC investigation as commercially possible without delay, and set out exactly how they will implement any necessary changes. Everyone must take the lessons from the Talk Talk breaches as a wake-up call – both in how they prepare to prevent cyber-attacks, and in how they deal with their consumers when those attacks occur.”