More than just TalkTalk – A huge fine and a lesson in information security management for organisations large and small

Like many, we’ve been following the major TalkTalk personal data breach of 2015. It has been difficult to ignore!

So serious was it that it sparked a formal enquiry by the Culture, Media and Support Committee and now, the latest news from the Information Commissioner’s Office (ICO) reveals the £400k fine they have levied on TalkTalk…the largest ever!

Information security management

In setting the fine the ICO recognised the severity of the situation –

TalkTalk failed to take appropriate measures against the unauthorised or unlawful processing of personal data, in contravention of the Data Protection Act. The ICO report said: “For no good reason, TalkTalk appears to have overlooked the need to ensure it had robust measures in place despite having the financial and staffing resources available.”

During the investigation Dido Harding gave evidence stating the organisation was compliant with the government Cyber Essentials scheme, although not accredited. She also stated the organisation had a cyber security plan and worked on the “10 steps to Cyber Security” framework that government encourages companies to use.

Whilst these are credible schemes for cyber security, they are often considered low cost and basic ‘entry level’ requirements.

For those of us with more demanding information security requirements, they merely form part of a more robust information security management system (ISMS) that goes beyond cyber security and the IT department.

Certainly, one would have expected more from an organisation of TalkTalk’s size and resources and, for sure, the fine would have been a lot lower had they taken steps to more effectively implement and manage an ISMS.

The cost of poor information security management

It could be argued that TalkTalk came off lightly!

At £400k, the fine represents under 15% of Chief Executive Dido Harding’s £2.8m earnings alone, for a 12 month period during 2015/2016.

Under new EU GDPR legislation, data controllers will be subject to much greater fines of up to between 2 and 4% (or £10 and £20m – whichever is the greater) of total annual global turnover.

In the year ending 31st March 2015, TalkTalk’s revenue was reported at GBP1.795 billion – ouch!!

Whilst the new potential fines equate to huge figures for the likes of TalkTalk, there can be few companies who would say this, on top of a loss of revenue, costs of rectifying the breach, compensation, handling reputational damage and increased cyber insurance premiums, wouldn’t be a huge deterrent.

Indeed, it demonstrates the need to get information security right.

More than that, it becomes apparent that organisations must be able to demonstrate, unequivocally, that they have taken the “appropriate technical & organisational measures” to protect personal data as called for under the current DPA.

The costs of implementing and maintaining an effective ISMS soon pale into insignificance in the light of the above!

ISMS.online provides one secure online environment to implement and manage your complete ISMS. It comes equipped with a multitude of information and cyber security frameworks, including Cyber Essentials and ISO 27001, plus all the tools you need for managing risks.

It’s never been easier or more cost-effective to protect your business, with ISMS.online for information security management…

ISMS Online Rating: 5 out of 5
Share This