Given the recent developments with regards to the Brexit, the report by the House of Commons Culture, Media and Sport Committee on Cyber Security: Protection of Personal Data Online (PPDO) might have slipped under your radar. Thankfully, it is a concise report, despite its 17 recommendations. We won’t go through them all here but will pick out a few that have implications to email marketing. The full report is here: http://www.publications.parliament.uk/pa/cm201617/cmselect/cmcumeds/148/148.pdf
The report on cyber security came as a response to the hack of TalkTalk’s data. This was reported some eight months ago and we await the ICO’s report, and with some interest. In the mean time the PPDO has some useful advice for those of us with email marketing lists and data on customers and staff.
The conclusions and recommendations section runs to a mere 1250 words or so and it, and the full report, makes useful reading.
The PPDO asks for consumers to be made aware of on-line scams, and a requirement for companies holding data to make existing and future customers aware of how they may ascertain if a communication is genuine.
One fear is that this would make potential customers wary of sharing their details with companies. This has not been helped by PC manufacturer Acer admitting 34,500 customers’ sensitive data, including credit card details, had been accessed ‘sometime between May 2015 and April 2016’. Hardly specific. Reports of McDonalds using unsecured NFC tags in New Zealand and other countries make things worse for us.
We then read that while CEOs should lead any response to a breach but despite them being ultimately responsible for a breach, there should be a designated person with specific responsibility for cyber security, the implication being that this Chief Information Officer (CIO), is the fall-guy.
Of importance to email marketing is that the ICO has issued fines on three occasions for SQL attacks, exploiting weaknesses in the language. The PPDO goes on to say: “Any organisation participating in e-commerce, in any industry, should be taking appropriate and continuing measures to ensure their systems are not vulnerable to similar attacks.”
The report’s recommendations would appear to include companies, the CIO and other individuals, having more responsibility for keeping up to date with current threats to security of data. One wonders if the ICO is able to update us all.
It recommends that known weaknesses that are not closed or “continued vulnerabilities and repeated attacks” should increase fines. It feels that organisations should still be expected to be attacked and sometimes be breached.
One criticism of TalkTalk’s preparation for cyber attacks was that it had run no exercises nor planned methods of handling an attack on the scale of the one which resulted in 157,000 customer’s details being accessed.
The report includes criticism of the ICO’s staffing levels and has strong criticism of the delay in closing the investigation into the TalkTalk hack meaning that some nine months now after it was reported, customers are still in the dark regarding what happened.
The lack of publicity of the committee’s findings should not lull you into thinking it will go away.