We are Concinnity Risks, the go to cyber insurance quants,Cambridge hackers,malware analysts,cyber-risk reductionists.

<< back to blog

Posted:13/03/16

Author:Eireann

The hidden costs of the IPBill

Clearly Internet Connection Records are personal data, and storing them also requires a duty of care on the part of both government and industry.

A security and privacy program has to be put in place to protect ICRs from being lost, stolen, or leaked. To protect personal data, has a cost, and one that the government is imposing as a externality on businesses associated with internet connections. Within the UK, the ICO and the FCA/FSA can fine organisations for data breaches, acccidental or maliciously caused. Such liability is clearly stated by the two regulatory agencies with oversight of personal data in the UK, the ICO and the FSA. To quote the ICO's own website:

"There are a number of tools available to the Information Commissioner’s Office for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller. The tools are not mutually exclusive. We will use them in combination where justified by the circumstances."

The ICO has a cap on the fines for losing personal data, at £500K, in their own words:

"issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010" (REF 1).

According to Breach Watch The ICO have fined £5,573,500 since 2010.

The FSA has significantly more latitude in the size of fines having levied up to £3 million against HSBC for inadaquete data security measures in 2009 (REF 2, REF 3).

Note that in that case of HSBC, the FSA didn't need a security breach to levy the fines, only evidence that the protections were inadequate. Clearly then, ISPs have some potential liability for ICR even if they do not get lost or stolen, and the FSA expects them to secure any personal data properly, regardless of it's usefulness for national security purposes. So too, does the EU, and companies may be liable for up to 4% of their global annual turnover from 2018. So the deicions made today, have a very significant financial impact on technology companies operating in 2018.

Seperate to regulatory liability, there is also an associated cost of a breach for data. If we try to examine and study that cost, we turn primarily to two data breach reports: Ponemon and Verizon. Both give us examples of the cost per record of having data lost or stolen within the UK.

Ponemon lists the associated costs of a malicious breach in the UK at $143-163 per record (£100-114) (REF 5).

The Office of National Statisitics suggests that at least "The internet was accessed every day, or almost every day, by 78% of adults (39.3 million) in Great Britain in 2015" (REF 6). This then suggests a conservative maximum potential liability cost of 39.3 million*£100 divided by market share between the ISPs asked to store ICR. Note too, this is the potential cost BEFORE any regulatory fines would be levied. This is simply the cost of informing customers, and managing the breach. Further fines could be levied by the ICO, the FSA, or the EU regulatory bodies.

Of course, it is unlikely we would see all ICRs breached at the same time, but it is not impossible. Even a more conservative estimate, where we examine the highest potential liability for a single ISP is worth considering in a cost/benefit analysis.

BT manages roughly 7.99 million customers, and thus carries £799 hundred million potential cost of customer data records losses.

Asking private industry to carry the potential cost of breaches AND the regulatory liability for storing ICR for UK surveillance purposes, ignores the cost half of the cost/benefit equation.

Reference 1: The ICO