Data Protection Bill [HL]

Lord Kennedy of Southwark Excerpts
Report: 2nd sitting (Hansard - continued): House of Lords
Wednesday 13th December 2017

(7 years ago)

Lords Chamber
Read Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Moved by
78A: After Clause 18, insert the following new Clause—
“Duty to notify of data protection breaches due to ransomware attacks
(1) In addition to notifying the Commissioner of a personal data breach under Article 33 of the GDPR, a data controller must also notify the relevant police force if the data breach was the result of a ransomware attack.(2) In this section,“ransomware attack” means an attack of a form of malware which holds the information on a user's computer hostage until a ransom fee is paid; and“police force” has the same meaning as in section 3 of the Prosecution of Offences Act 1985.”
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, the amendment in my name, and that of my noble friend Lord Stevenson of Balmacara, would insert a new clause in the Bill that requires a data controller to notify both the Information Commissioner and the police if they are subject to a ransomware attack. Ransomware attacks involve hackers taking control of your information held on a computer and agreeing to release the information back to you only on the payment of a large sum of money. It is kidnapping not of a person but of information.

Apparently thousands of UK businesses have paid these ransom demands and do not bring these issues to the attention of the authorities for fear of damaging their reputation. This is a really serious issue, and one that we cannot allow not to be addressed. I find it shocking that companies are paying these ransom demands, effectively on the quiet. The amendment would make it a legal requirement to notify. It is only by being able to understand the scale of these attacks and understand what has happened—whether or not it is successful is irrelevant—that the authorities can undertake the important work of analysis needed to prevent these attacks happening in the future.

I would go further, and say that it is irresponsible of data controllers or their businesses and organisations not to come forward to notify the proper authorities. They are vulnerable and making the problem worse by hindering the efforts to tackle the problem. Not only are they at risk of whoever is behind the attack coming back for more money later—having paid the hacker, the person will be seen as an easy touch—they are exposing other people, businesses and organisations to this form of attack in the future. My amendment would require notification, and I look forward to a detailed response to the issues I have raised. I beg to move.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I am grateful to the noble Lord, Lord Kennedy, for his amendment on data protection breaches and ransomware attacks. The repercussions of such attacks are felt by everyone, whether or not they are a direct victim of the crime. It is estimated that in 2016 the cost of fraud and cybercrime in the UK was £193 billion, with the full social cost likely to be much higher. It is therefore essential that stringent measures are in place in legislation to ensure that cyberattacks and fraud are prevented, and any perpetrators found and stopped.

We, nevertheless, believe that Amendment 78A is unnecessary. Article 33 of the GDPR, referenced in the noble Lord’s amendment, requires the data controller to inform the Information Commissioner within 72 hours of all data breaches, including as a result of ransomware attacks. The controller is required to provide information of the likely consequences of the personal data breach, and to describe the measures taken or proposed by the controller to address the breach. There is one exception, given in Article 33, for breaches unlikely to result in a risk to data subjects, but that hardly seems relevant in cases where hackers have proven access to the data in question.

The GDPR does not require data controllers to report cyberattacks to the relevant police forces, for good reason. It is well understood that the Information Commissioner has the expertise and resources to take the appropriate and necessary action in the first instance, including, if she deems it appropriate, referrals to the police or to investigate and bring prosecutions herself under data protection law. I am also puzzled by the amendment’s intention to single out ransomware as the only form of cyberattack worth reporting to the police. A huge range of cyberattacks cause substantial distress and harm to individuals, such as insider attacks, attacks from third countries and other cybercrimes, such as malware and phishing. In addition, organisations can report cyberattacks or fraud to Action Fraud, which in turn ensures that the correct crime reporting procedures are followed. This organisation is overseen by the City of London Police, the national lead for economic crime, and we believe that it represents an effective and scalable structure. For the reasons I have stated, therefore, I would be grateful if the noble Lord would withdraw his amendment this evening.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

I am happy to withdraw my amendment this evening. I wanted to raise the issue here. The Minister cited the figure of £193 billion lost through these and other forms of attacks—he went through a number of them—and this is a very serious matter. I hope that he is correct that companies are required to notify the Information Commissioner on the back of this legislation. This is very serious. I hope that he is correct that it is not necessary to go to the police—the sums of money that he mentioned are absolutely shocking. At one point, he said that the Information Commissioner can start prosecutions. That is fine, if we can find the people behind the crime and if they are in this country. If they are somewhere in lands far away, I wish him all the best, but I suspect that we will have some trouble in catching the perpetrators or bringing them to justice. My worry is that, because of reputational damage, companies will be reluctant to notify anyone about this stuff. It is very serious.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

Can I just echo what the noble Lord says? We agree that it is serious, which is why we have set up the National Cyber Security Centre to help to protect public services online and why the Chancellor allocated nearly £2 billion for cybersecurity when he launched that centre.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

It is very pleasing to hear that. I welcome that, but these are matters that we will have to keep under review. Unfortunately in this world, the people involved in this stuff are usually quite skilful and bright and can keep one step ahead of the law or the people trying to catch them. We should keep these matters under review but, unfortunately, they are not going to go away. My worry is that these crimes are committed many miles from these shores and catching the perpetrators is the problem. However, I am very happy at this stage to withdraw my amendment.

Amendment 78A withdrawn