Information Commissioner: Business must get serious on cybersecurity
The information commissioner, Elizabeth Denham, believes that consumers have a right to be protected – and she has a warning for companies falling short of her standards.
Elizabeth Denham has fallen a bit in love with Manchester. The Canadian loves the cultural scene: she’s seen the play about Alan Turing – Breaking the Code – at the Royal Exchange; has tickets for The Snow Maiden opera at The Lowry in Salford Quays, and marvels at the splendour of the gothic revival architecture of the city’s Town Hall.
“I think Manchester is a magical place,” she smiles. “I do, I do, I do. Besides, the rain reminds me of home.”
It’s certainly a long way from that home on the recently storm-struck Vancouver Island. The 57-year-old, accompanied by her retired computer scientist husband, upped sticks to become the UK’s information commissioner in July.
Denham had been the information and privacy commissioner in British Columbia. She was one of a number of overseas applicants to succeed Christopher Graham to head up the Information Commissioner’s Office (ICO), which is based a few miles south of Manchester in Wilmslow.
Those foreign regulators all seem to have been lured by the idea, as Denham puts it, “of being part of the international scene at a time of momentous change”. Denham laughs: “I didn’t realise quite how big that change would be when I accepted the job in May, because it was before the EU referendum.”
The UK has become a world leader in information security and the ICO is particularly powerful, with a remit to ensure companies and the state comply with the Data Protection Act. The ICO has cracked down on nuisance calls and the unfair compilation of lists that resulted in the blacklisting of workers in the construction industry, while it was also central to uncovering the phone hacking scandal.
Denham, who will serve a five-year term, is the fifth person to hold the job since the post was created in 1984. She immediately had to handle problems caused by the Brexit vote. There were concerns the Leave vote might mean the UK would not adopt an incoming EU regime, called the General Data Protection Regulation (GDPR). This will harmonise data regulations across the EU, making compliance easier for overseas companies.
However, culture secretary Karen Bradley recently confirmed the UK would adopt the GDPR, because it will come into force in 2018 and therefore before Brexit is completed. And Denham is relieved.
“We need to keep up with our neighbours,” she says. “It’s not just the GDPR – if you look around the world, the trend is to have stronger laws and stronger enforcement of those laws, because data has become the new oil of the internet.”
Denham is frustrated by the low maximum fine she can dish out, which is just £500,000 under existing regulation.
She has already issued a record fine of £400,000 to TalkTalk for security failings that allowed a cyber attacker to access the personal data of nearly 157,000 customers, including their telephone numbers and email addresses. That hacker was only 17 and recently told a court that he was “just showing off” to his friends.
But the GDPR will mean the ICO can hit firms with fines of up to 4% of their global turnover, which Denham thinks will make senior directors take data protection far more seriously. Recent research by NCC Group found that only 13% of chief executives believed they should take responsibility for their firm’s cyber risks.
“I think it [the £500,000 maximum penalty] is insufficient at a time when we’re facing more and more threats to our networks, more and more cyber attacks,” says Denham. “We need organisations to consider network security, information technology security, as a boardroom issue – it’s not just an IT issue. The bottom line is that the risks are great, which means that information technology security is an evergreen 24/7 requirement.
“Most data breaches that are reported to the ICO are actually data security incidents that could have been easily prevented, as opposed to sophisticated hacks. We still have a lot of work to do just in basic information technology security.”
Facebook has been in Denham’s sights, because of the social networking giant’s plan to take data from British users of messaging service WhatsApp for advertising and product development. Facebook bought WhatsApp for $19bn in 2014, but only announced plans to share more data this summer. This would, for example, see a telephone number linked to a WhatsApp account used to help target adverts in that person’s Facebook profile.
Facebook has agreed to pause the plan, following concerns from Denham that it had not given customers enough detail on what it plans to do with the information. WhatsApp users are given a 30-day window to opt out of using this information for advertising, but Denham thinks they should be given “persistent” opportunity to block the sharing.
She says: “We live more of our lives online and, because we leave digital footprints everywhere we go, I think users are more concerned about companies and their take-it-or-leave-it terms of service. I think that, when companies have large stashes of data and then merge or join up, individuals and users feel they don’t have enough control.
“Facebook and WhatsApp is an example where we’ve got to get this right. Consumers deserve a greater level of information and protection. It’s a concern that’s broader than Facebook and WhatsApp, as we see mergers that mean vast amounts of personal data become an asset.”
A significant difference that Denham has noticed between the UK and Canada is the far greater concern about nuisance calls. “I’ve seen such a deep concern among UK citizens and UK consumers around unsolicited marketing,” says Denham. “This kind of concern, this kind of distrust in commercial actors in the UK … I haven’t quite seen in Canada. I also see that the population is deeply concerned about commercial surveillance as opposed to government surveillance.”
But the government has helped Denham by granting her far tougher powers. Since April last year, law changes made it far easier for the ICO to fine the companies making the calls. The ICO has issued £2.7m in penalties but less than £475,000 has been paid, with many firms going into liquidation before setting up a separate marketing firm. But Denham can now go after directors, making them personally responsible for nuisance calls. “It sends a message to the boardroom,” she smiles.
Denham is certainly keen to shake up those boardrooms and, for a jokey mother-of-four who laughs at her “oldster” taste in folk music, it’s clear she possesses plenty of steel. This is one culture vulture who will happily pick over the bones of firms that fail to comply with the rules of her office.