back to article You've been hacked. What are you liable for?

Hacking is big news and we’re all susceptible. In the UK, hackers could face jail time under the Computer Misuse Act, but the question on many businesses’ minds will be where the liability lies if they are hacked. The list of successful mega breaches continues to grow; extra-marital affairs site Ashley Madison hit the …

  1. edge_e
    Thumb Up

    About time too

    Hopefully this will lead to companies taking security seriously or, better still, not collecting information they don't need in the first place.

    1. Anonymous Coward
      Anonymous Coward

      Re: About time too


      I'm unconvinced that the serial fines on financial services companies for various crimes have made the slightest difference to the overall culture that making money is an imperative before all others. And I therefore conclude that increased fines will mean the level and prominence of security theatre will increase in companies, but that the actual security will probably take a back seat in technology and budgeting decisions.

      Risk, in corporatespeak is the significance of an event happening, multiplied by a guessed probability. If you can convince yourself that the probability is low, then the overall risk is low, and you don't need to invest money for security. Welcome to TalkTalk.

    2. Doctor Syntax Silver badge

      Re: About time too

      "not collecting information they don't need in the first place."

      I'm not sure this will even occur to them. In the first place those making the decisions will probably have filled in a few online forms asking them for data that wasn't needed & will accept this as just the norm. In the second place wants will carry more weight than needs.

  2. SteveK

    I really can't see how it could be monitored or controlled, but I'd really like to see some process by which companies are prohibited from charging customers more in order to cover the cost of fines and so preserve profits, and instead the fines come from salaries and shareholders' profits - hurt those who made the bad decisions, and force the shareholders to ask awkward questions.

    If the board still get their bonuses and shareholders their dividends, at the expense of the customer then nothing will ever change.

    I don't ever see this happening though.

    1. Version 1.0 Silver badge

      If you are corporate, and worried about this, then the "smart" thing to do is outsource it to someone else - let them take the risk so that you have someone to blame when (not "if") it happens. You see this type of behavior all the time in the corporate world.

      1. Adam 52 Silver badge

        You have to be very careful to isolate the risk, or hide the trail so it's impossible to prove. GDPR is explicit that you're still liable even if the loss is from a third party.

  3. Andrew Commons

    A bit hard on HR..

    Disclaimer: I have no HR affiliations.

    "and HR and sales departments are the most often hacked because they are the least computer security aware"

    HR is also at the pointy end when it comes to receiving legitimate unsolicited emails so they have to be far more aware than the average employee. Fake resumes and expressions of interest are very common vectors for phishing. So this is actually a bit harsh.

  4. Anonymous Coward

    In 2016, the SWIFT financial payments system was not hacked

    No no no, doesn't matter how many time you say it, SWIFT wasn't hacked. What was hacked was an Oracle Database running on Microsoft Windows. And a more relevant question is what indemnity do the providers of the computing platform provide when it gets compromised. The answer being none what so ever.

    Two bytes to $951m

  5. Anonymous Coward
    Anonymous Coward


    Fines aren't much of a deterrent in most cases. Usually because a new insurance/blame sponge sector springs up to cover the costs.

    A good example of this is with banks and new laws to help tackle money laundering.

    I hear that if KYC at a bank isn't performed to a sufficient level the people directly involved may be liable to be throw in porridge for 6 months. Im not sure if this is currently in place but it is at least in the pipeline. IANAL so I'm no expert here.

    As a result I am aware of some people scurrying around gathering investment to build a solution that allows banks to hand the KYC off to a third party AND it be covered by some form of insurance. This muddies the water somewhat and allows banks to continue to carry on as before and simply build the cost of incompetence into their business model.

    Counting the cost of fines as part of the running costs of a business is a widespread practice.

    That said, I dont think jail time is the solution here either. I suggest being struck off from your industry and the fines being levyed on individuals not the businesses.

  6. Mike Shepherd

    HR and sales departments

    "HR and sales departments are the most often hacked because they are the least computer security aware"

    From my experience, the words "computer security" could be omitted here.

    1. Captain Badmouth

      Re: HR and sales departments

      Yes, the pinnacle of intellectual achievement in any company, are they not?

      Mines's the one with the linkedin diary in it, thanks

  7. Mark 110

    Brexit won't matter

    As I understand it thhe government are drafting a law to enshrine all EU regulations at point of Brexit into UK law. It will then take further legislaton to remove any we doon't like. So regardless of Brexit thiis will become UK law and remain UK law unless parliament enact to remove it.

    Why would they? Its a decent law with the interests of everyone except people that breach it at heart (and to a certain extent its in their interests too).

    1. Frank Jennings - The Cloud Lawyer

      Re: Brexit won't matter

      Exactly. Upon Brexit the UK gov will preserve all laws except for those directly associated with Brexit. This will likely affect the UK contributions to the EU budget, the 4 freedoms (goods, workers, services & capital) and "red tape". This last one is the most vague (none of it is particularly certain) but I don't see culling data protection laws as being high up the agenda.

  8. Ian 55

    Coca-Cola and KFC

    The recipe for 'original' Coca-Cola has been published in, amongst other things, the main history of the company. A rash of 'American' colas followed, but what they all lacked is the decades of marketing that means it still outsells the lot.

    Similarly I doubt that the KFC recipe is secret. It's marketing.

  9. Halfmad

    ICO work back to front

    I've been saying for a while now that the ICO should default fines for large companies to the maximum, then take in mitigating factors to reduce it, not build it up based on severity.

    If companies know that they have to evidence the steps they took to mitigate attacks, show purchased products, training for staff, policies and procedures, pen testing etc they'd perhaps give a ****. As it is they are likely faced with fines which cost a fraction of this annually.

    Default to the £500,000, then let them knock off 10 grand per control they can evidence.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like