The TalkTalk data compromise could be the 'tipping point' where lost PII is concerned. The majority of those interviewed at the time were mostly concerned about how their data could be used by way of identity theft or as a means of conducting some form of socially engineered fraud. Lost payment card details were seemingly of less concern, on the premise that any financial loss resulting from fraud that could be pinned down to this attack would be reimbursed in ones bank. In essence of primary concern to the consumer was that which fell outside of the scope of PCI DSS.
With the impending General Data Protection Regulation (GDPR) coming into effect in under two years, it is likely that businesses of all sizes are going to have undertake a wholesale review of the way they secure personally identifiable information.
To use an analogy, GDPR is a sort of Cyber 'Health & Safety' which, whilst often derided, has put paid to the numerous avoidable accidents caused by negligent behaviour by those serving us.
My guess is it will in many instances it will be considered as just more 'red tape' and unnecessary investment that could be better used elsewhere in a business. This however should be countered by the fact that the internet is delivering untold efficiencies and other business benefits, which - when all said and done - comes at cost.
GDPR is to the interconnected world what the Highway Code was to the motor industry. A way of bringing some controlled and enforceable order to what is clearly something that is proving beneficial to us all.
The resulting fines that are coming with GDPR will no doubt serve as a salient reminder to businesses of all sizes that the cyber equivalent of a slippery floor could cost you dearly!
Mr Norman said: “Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. “Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.” The Information Commissioner’s Office, responsible for enforcing data protection legislation, should also introduce a system of escalating fines that punish companies that fail to prevent the most common forms of cyber attack, the select committee said.