TalkTalk attack: UK digi minister recommends security badges for websites
Foolishly suggests kitemark to, er, reassure customers
The UK's digital minister Ed Vaizey has floated the idea of adding kitemarks to websites that have strong security measures in place, following the attack on TalkTalk's business last week.
Speaking in Parliament on Monday in response to an urgent question on data breaches and consumer protection, following the ransack of TalkTalk's sensitive customer details, Vaizey said:
In many cases, businesses set out extremely detailed terms and conditions, but the idea that they are consumer-friendly is wide of the mark.
If I can take, as it were, the spirit of her question [Labour MP, Gisela Stuart], some kind of kitemark to denote companies that have robust cyber-security procedures in place would be something worth exploring.
Vaizey, a politico who is big on self-regulation, seemed to be suggesting that such a badge would allow customers to think that the website they are using poses no or little security risk.
But offering Brits such a false sense of security, as the fallout from the TalkTalk attack continues, is at best naive and at worst a total failure to adequately jump to the defence of consumers – the real victims in this whole mess.
'Misinformation' on government views on encryption? Fancy that!
During the debate, Vaizey also responded to questions about encryption, after he was asked if companies should use such technical safeguards to help secure customer data.
"It has to be said that companies should encrypt their information. There has been some misinformation that the government are somehow against encryption," the minister said, without elaborating further.
Over the weekend, TalkTalk boss Dido Harding stated that her company was under no legal obligation to encrypt customer data, much to the chagrin of the budget telco's customers.
The Information Commissioner's Office told The Register on Monday that current UK data protection law spelled out clear rules to companies handling customer info.
“All organisations must have appropriate security measures in place to prevent the personal data they hold being accidentally or deliberately compromised. Any measures put in place should prevent security breaches or limit the damage if they do occur," we were told by the data watchdog.
The ICO added: “As one single product cannot guarantee security, we would advise a combination of different tools and techniques. Encryption is just one way of doing this.” ®
The Register has created a timeline of TalkTalk's contradictory comments following on from the initial announcement of a website outage.
Sponsored: Becoming a Pragmatic Security Leader