MPs urge jail terms for cyber criminals and more powers for data watchdog

Updated: 

Criminals obtaining and trading in personal data should face a jail term of up to two years, MPs have said.

The Culture, Media and Sport Select Committee also called for the data watchdog to be given greater powers, including the ability to fine firms if they do not make it easier to verify whether online or phone messages are genuine.

The cross-party committee's inquiry into cyber-security was triggered by a series of data breaches at TalkTalk, but the MPs warned that the problem is significant, growing, and affects all sectors with an online platform or service.

The committee said 90% of large organisations have reportedly experienced a security breach, and 25% of companies experience a cyber-breach at least once a month.

In the public sector, the latest research from the Information Commissioner's Office shows that the health sector has the most data breaches, followed by local government.

More than 40% of data breaches are caused by employees, contractors and third-party suppliers, and half of these are accidental.

Committee chairman Jesse Norman said: "Cyber-security is a critical issue for consumer confidence, and increasingly important for the UK economy.

"Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment.

"Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.

"As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.

"They should now publish as much of the PWC investigation as commercially possible without delay, and set out exactly how they will implement any necessary changes.

"Everyone must take the lessons from the Talk Talk breaches as a wake-up call - both in how they prepare to prevent cyber-attacks, and in how they deal with their consumers when those attacks occur."

The report recommended that bosses should be hit in the pocket if data breaches occur, suggesting that a portion of chief executive remuneration should be linked to effective cyber security.

The MPs said it should also be easier for victims of a data breach to claim compensation.

They also warned that the vulnerability of the massive new data pools which will be created by the Investigatory Powers Bill needs to be urgently addressed by Government.

A public information campaign, similar to that used to promote smoke alarm testing, should be used to make consumers aware of the risk of online and telephone scams.