(7 months, 1 week ago)
Lords ChamberMy Lords, I declare my interest as a member of the Horizon Compensation Advisory Board. I am grateful to my noble friend the Minister, and to the Lord Chancellor, for securing a slot so quickly to right the consequences of the PACCAR judgment. I am impressed and surprised at the speed with which they have managed to do this. I am also grateful to my noble friend Lord Sandhurst, the noble Lord, Lord Carlile, and the noble and learned Lord, Lord Thomas—whom it is an honour to follow—for encouraging the Lord Chancellor in his speediness by moving amendments to an earlier piece of legislation.
I speak briefly to point out the sad fact that, until Alan Bates secured litigation funding in the Post Office Horizon scandal, the political process had completely failed him and other sub-postmasters. Although a substantial number of MPs, including a Cabinet Minister, Oliver Letwin, had gathered together to say that the concerns about the Post Office’s behaviour had to be independently examined, we got nowhere. Subsequently, Post Office Ministers said that they were lied to and MPs said the same thing. The turning point in the story was the fantastic judgment of Mr Justice Fraser, as he then was. I pay tribute to him. He succeeded in “blowing the bloody doors off” where the politicians had failed. That is why litigation funding is essential.
There will be questions about how litigation funding should work. Many of them will come up during this short Bill. For example, it is regrettable that the 555 sub-postmasters failed to recover their full costs from the Post Office. It was certainly regrettable that, out of a settlement of £57 million, after legal and litigation funding costs only £12 million found its way into the pockets of the sub-postmasters.
However, I do not say that the litigation funders were unfairly recompensed. They took the immense risk of taking on the country’s most trusted brand, the Post Office, which was backed by the bottomless purse of the taxpayer. That was a risk that needed a high pay-off if it succeeded, because it would have been ruinously expensive for the litigation funders if it had failed. We know, and we watched, how the Post Office did its best to spend the sub-postmasters into submission in a disgraceful display of legal bullying, so the litigation funders deserved their fees.
Yet the entire story must make us wonder whether there could be a better way. Litigation is slow and expensive. I found the comments of the noble Lord, Lord Mendelsohn, very interesting in this respect. Litigation funding must be one method of obtaining redress, but it should be considered alongside others, including the model of regulators-plus-ombudsmen recommended in various books by the chairman of the Horizon compensation advisory board, Professor Christopher Hodges, who is a friend of mine, with a properly regulated system of litigation funding that is subjected to what the noble and learned Lord, Lord Thomas, says. Regulation is needed, and with a stronger system of ombudsmen for the public sector, maybe we could avoid another Post Office scandal.
(7 years, 9 months ago)
Lords ChamberMy Lords, I draw noble Lords’ attention to my interests in the register, particularly to the fact that I am chairman of the Information Assurance Advisory Council, chair of the advisory board of Thales UK and a member of the advisory board of IRM, among other cyber-interested companies.
This Bill is about the digital economy, but it contains very little mention of security. Yet cybersecurity is essential, both to the proper functioning of the internet, on which we so rely, and to the trust we place in the digital economy. Global research has been done by the Information Systems Audit and Control Association of the United States of America, and I am indebted to it for its help on these amendments. That research has shown that two-thirds of chief executives of major corporations do not have confidence in their workforces to deal with anything beyond the simplest of data breaches. We all know that there has been no shortage of high-profile data breaches on both sides of the Atlantic over the last 12 months. That has damaged the economic performance of companies and their stock price, and has significantly reduced consumer and business confidence.
I congratulate the Government on making real progress in this area. They have introduced Cyber Essentials, which has been helpful in boosting implementation of cyber controls. I suggest, though, that the uptake of Cyber Essentials has been disappointing. It is not always a requirement that companies observe even the relatively low level of assurance that Cyber Essentials suggests. I use the word “suggests” because of course it is not compulsory. Equally, the new cybersecurity strategy has brought £1.9 billion into developing a capability across the whole of society to address everything from the biggest companies to individual citizens. The Minister of State for Digital and Culture recently indicated in another place that the Government intend to implement the General Data Protection Regulation in full. That is a good thing, but I very much doubt that businesses—and probably even government departments—are anywhere near ready for the GDPR, nor as far along as they really should be by this stage.
In view of the existential nature of our reliance on cyber nowadays, I therefore suggest that we need to go further. Consumers, investors, executives and government alike all need confidence that businesses are taking appropriate steps to safeguard their data and their IT systems—and those of their supply chains as well—from malicious activity. So, I have decided to be helpful. I propose these amendments, which introduce the notion of a cyber audit. They are probing amendments: their wording creates obligations that are perhaps more imperative than I would like to see, because I believe we should start with encouragement rather than requirement.
Everyone is now accepting of, and accustomed to, the notion of external independent financial audits, which have become the norm throughout the world. I believe that a similar approach now needs to be followed in relation to cybersecurity. My suggestion is that we should undertake cyber audits—perhaps as part of financial audits, or perhaps separately; it does not really matter. Those audits could be based on standards that could be evolved by industry, rather than by government, because government legislation never manages to keep up with the astonishing pace of technological change. These cyber audits should include external stress tests of a company’s cybersecurity in areas such as email, and possibly even in relation to a company’s products.
I think the entire House knows that, in 2013, the Target chain of 1,800 stores in the United States of America was hacked by people who broke into its air conditioning system, which was supplied by a third party. Everybody knows about last autumn’s botnet attack by rogue webcams. So if we did this and went for cyber audits, we could gradually begin to address the issue of cybersecurity, so that over time no longer would it create quite the existential threat that it does now. It would need to start on a voluntary basis and be driven by business, not by government, but, in time, I believe it would spread internationally, so that the United Kingdom would not be disadvantaged in competitive terms. It would also ensure that the United Kingdom was in the vanguard of global best practice. I beg to move.
My Lords, Part 5 of the Bill requires public authorities and specified persons to specify and meet specific legislative conditions and controls on the handling of personal information. As I have said on a number of occasions this evening, these provisions will be underpinned by codes of practice setting out data security requirements, including cybersecurity. A body that fails to meet these could be prevented from using the data-sharing powers. That is the context in which I turn to Amendments 105 and 106.
Amendment 105 would require all but the smallest of companies to conduct audits on their cybersecurity and to report annually on it and their data protection measures. Clearly, the Government recognise that effective cybersecurity risk management is important to the success of the economy and, indeed, to ensuring the safety and integrity of private citizens’ data. The Government conducted the Cyber Security Regulation and Incentives Review in 2016 to consider whether we need additional regulation or incentives to boost cyber risk management in the wider economy and it showed strong justification for regulation to secure personal data.
The Government will seek to improve cyber risk management through our implementation of the EU general data protection regulation in May 2018. Its requirement to report breaches to the Information Commissioner and individuals affected, and the fines that can be issued under it, will represent a significant improvement. These will be supplemented by a number of measures to more clearly link data protection with cybersecurity, including through closer working of the Information Commissioner and the National Cyber Security Centre. However, we will not seek to pursue further general cybersecurity legislation for the wider economy as would be required by Amendment 105.
We believe that mandating the inclusion of cyber risk information in annual reports, or the introduction of legal provisions for cyber audit, is unlikely to be an effective way of encouraging large-scale change in cyber risk management. Instead, the National Cyber Security Centre plans to work with stakeholders to develop guidance for investors. The long-term aim of the organisation is to include cybersecurity in the guidance it provides to businesses on the kind of information it wants to see in an annual report, and in the reports it provides to investors each year on every listed company.
Amendment 106 is very broad in its aims and, as such, could have unintended consequences for the diverse range of grants that the Government fund each year. The supporting audit and insurance regime would be costly and challenging to enforce given the diversity of grant recipients, including those from voluntary and research communities. Furthermore, this amendment is unnecessary as many of these checks are in place as a matter of routine. The level of cybersecurity risk in grants will continue to be monitored and consideration given to how recently launched grant standards could be used to strengthen guidance in this area. This provides a far more flexible and proportionate solution than legislation.
With respect to subsection (2) of the proposed new clause in Amendment 106, the Government are already taking tangible steps to reduce the level of cybersecurity risk in their supply chain. As of October 2014, suppliers of central government contracts that involve the handling of personal data or the supply of IT products and services must demonstrate they have met the technical requirements set out as part of either the government-owned Cyber Essentials scheme or a suitable equivalent. The scheme was developed jointly with GCHQ and industry to support organisations of all sizes and across all sectors in getting a good, basic level of online security in place. In response to my noble friend Lord Arbuthnot I would observe that, as of the end of December 2016, nearly 5,500 certificates had been issued under the scheme, and we have a strategy in place to significantly increase the adoption of the scheme over the coming year. With that explanation, I hope my noble friend will withdraw his amendment.
My Lords, I am grateful to my noble and learned friend for his comments. From what he says I suspect that the Government are not quite there yet. However, I hope that my amendments will help to encourage them along a path of some form of regulation in this area. I suspect that the arguments my noble and learned friend used were similar to those that were first used when financial audit was suggested. However, I am grateful for what he has said. I am also particularly grateful to the noble Baroness, Lady Jones, for what she said and for the gracious way in which she said it. However, my amendments were aimed not so much at government as at business. I suspect that this will be part of a long-term campaign, so, with those words, I beg leave to withdraw the amendment.