The hidden costs of the IPBill


One of the most controversial aspects of the UK's Investigatory Powers Bill proposes the storing by ISPs and mobile network providers of 'Internet Connection Records' (ICRs). While vaguely defined, they will include your internet browsing history (although the Government is at pains to clarify that only the websites you visit, not the specific webpages on those websites will be stored), and what apps you have accessed, over the previous 12 months.

Clearly then ICRs are personal data, so storing them also requires a duty of care on the part of both government and industry. A security and privacy program has to be put in place to protect ICRs from being lost, stolen, or leaked. There is a cost to protecting personal data, and one that the Government is imposing as an externality on businesses.

Within the UK, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) can fine organisations for data breaches, accidentally or maliciously caused. Such liability is clearly stated by the two regulatory agencies with oversight of personal data in the UK, the ICO and the FSA.

To quote the ICO's own website: "There are a number of tools available to the Information Commissioner’s Office for taking action to change the behavior of organisations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller. The tools are not mutually exclusive. We will use them in combination where justified by the circumstances."

In terms of the monetary penalty, the ICO can fine up to £500k for losing personal data “for serious breaches of the Data Protection Act occurring on or after 6 April 2010". According to Breach Watch the ICO have fined £5,573,500 since 2010.

The Financial Services Authority (FSA) (which was superseded by the FCA from 2013) has significantly more latitude in the how much it can fine, having levied over £3 million against HSBC for inadequate data security measures in 2009 (see the Financial Services Authority website for details of fines levied up to 2013). Note that in that case of HSBC, the FSA didn't need a security breach to levy the fines, only evidence that the protections were inadequate.

Clearly then, ISPs have some potential liability for ICRs even if they are never breached, and the FCA will expect them to secure any personal data properly, regardless of their usefulness for national security purposes. So too, does the European Union, and companies may be liable for up to 4% of their global annual turnover from 2018. So the decisions made today, have a very significant financial impact on technology companies operating in 2018 (although the UK may of course be withdrawing from the European Union in 2018).

Separate to regulatory liability, there is also an associated cost of a breach for data. If we try to examine and study that cost, we turn primarily to two data breach reports, from the Ponemon Institute and Verizon. Both give us examples of the cost per record of having data lost or stolen within the UK. The Ponemon Institute lists the associated costs of a malicious breach in the UK at $143-163 per record.

The Office of National Statistics suggests that "the internet was accessed every day, or almost every day, by 78% of adults (39.3 million) in Great Britain in 2015". This then suggests a conservative maximum potential liability cost of 39.3 million people multiplied by £100 divided by market share between the ISPs asked to store ICRs. Note too, this is the potential cost BEFORE any regulatory fines would be levied. This is simply the cost of informing customers, and managing the breach. Further fines could be levied by the ICO, the FCA, or EU regulatory bodies.

Of course, it is unlikely we would see all ICRs breached at the same time, but it is not impossible. Even a more conservative estimate, where we examine the highest potential liability for a single ISP is worth considering in a cost/benefit analysis. BT manages roughly 7.99 million customers, and thus carries a potential £799m cost for customer data records losses. Asking private industry to carry the potential cost of breaches AND the regulatory liability for storing ICRs for UK surveillance purposes, ignores the cost half of the cost/benefit equation.