A spotlight shines on a company logo at a TalkTalk building in London, Britain. (Photo : Reuters/Stefan Wermuth)
United Kingdom lawyers are up in arms about TalkTalk Group CEO Dido Harding's claim on October 25, Sunday that the company was not legally obligated to use encryption for its customers' sensitive digital data, to prevent hacks and other security vulnerabilities. The cyber-attack exposed various types of personal information including dates of birth, landline and mobile phone numbers, email addresses, bank accounts, and credit card data, which could result in identity theft and other third-party criminal activities. Scotland Yard police arrested and questioned a British teenager on Sunday as a suspect of the TalkTalk hack attack.
Detectives searched the home of the 15-year-old British schoolboy from Northern Ireland, according to The Telegraph. If he were found guilty of the cyber-attack, TalkTalk customers would likely have some big questions about how the company secures their user data.
Harding made the comment three days following TalkTalk's security breach. It affected up to 4 million customers and caused the company's stock shares to drop sharply.
The UK's 1998 Data Protection Act implies that companies should encrypt sensitive customer info. However, no explicit obligation is mentioned in the UK law.
Technology lawyers still argued that TalkTalk is not totally exonerated. Kemp Little's senior associate Mahisha Rupan explained that companies have a legal obligation to use security tools for preventing the compromise of customers' personal data.
Companies are not required to have the latest security tech. However, Rupan clarified that the security must be good enough to handle the type of data they store, and the potential loss of that data.
The European Union (EU) is working out the details of new data protection laws that will likely make companies legally responsible for contacting data protection authorities about security breaches, according to The Register. That would be required within 72 hours.
If the tough EU data protection laws had been passed, TalkTalk's data breach could have been even more devastating to its stocks. A violation might have resulted in heavy fines up to $153.5 million.
TalkTalk is a London-based UK telecom that provides services such as cable television, mobile network services, and Internet access to residential and commercial customers. It was founded in 2003.
Here is TalkTalk's response to issues related to the cyberattacks:
