Reading today’s papers (The Times 26 Oct) , it would appear that people are surprised their personal data was not encrypted. In this context there are two types of encryption.
- In Transit – When you send it from your computer to their computer over the internet. This should be encrypted. Look for the padlock and https.
- At Rest – When stored on giant databases. In most cases (not just TalkTalk) your data is not encrypted at Rest. Mainly because it would make the systems too slow.
The head of TalkTalk is correct, there is no legal obligation to encrypt Personal Data. The Data Protection Act does not call out specific measures. Principle 7 says:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
What you determine is appropriate is a balance of risk and reward in business. So it will be a subjective assessment of if TalkTalk didn’t provide the appropriate measures. If someone decided to change the law by ruling that encryption of Personal Details and Bank Detail at rest must be encrypted, then companies will have a massive challenge to implement this, as it is they struggle with PCI DSS compliance at lot of the time which is very clear.
Apart from lots of other actions that will follow, the Information Commissioners Office can fine TalkTalk £500,000 which is not a lot for a large company. In January 2016 they would face a fine of either 5% or 2% of Turnover (not profit) under the EU General Data Protection Regulation.
The challenge I and others in my profession have is allowing companies to give you service at the speed of light, with ever new innovations whilst preventing them from taking too many risks.
As a profession it is very undermanned. So if you fancy a rewarding technical career trying to understand mind boggling complexity in a constantly shifting environment then come and join me as a contracting Security Professional.