UK proposes new powers for comms regulator to legally unleash avenging hordes on security-breached telcos
Suffered 'loss or damage' as a customer? Get Ofcom's permission and sue away
Britain's Telecommunications Security Bill will allow anyone to sue their telco if they suffer "loss or damage" as a result of a system breach – but only if they get Ofcom's permission.
Yet buried in the details away from the China-bashing stuff is a potentially heavy stick to be wielded by telco regulator Ofcom, pitting baying crowds against telecoms operators. Currently, these operators face a maximum fine of £2m (enforced by Ofcom itself) for failing to adequately secure their networks (PDF). The new situation opens telcos up to civil litigation.
Clause 8 of the bill [PDF] would allow anyone who suffered "loss or damage" as a result of a security breach by a "provider of a public electronic communications network" to sue that operator. The legal language means the barrier to starting a lawsuit here is noticeably low.
With mobile network operators having millions of consumers on their books, it's not hard to imagine an ambulance-chasing law firm cooking up a Safari Workaround-style sueball to start pursuing telcos for billions of pounds in damages – and then there's the wrath of biz customers.
The liability itself stretches "not just [to] your customers (in respect of whom you may be able to limit your liability contractually for the impact of a breach, since that is not excluded by the current draft)," blogged tech lawyer Neil Brown of decoded:legal, who spoke to The Register for this article. "Every. Person. Who. May. Be. Affected."
It's not just direct customers affected by a breach who could be sued but anyone downstream that could plausibly say they were affected by a system breach. Brown continued in his blog post: "You get compromised, and an attacker uses that compromise to pivot onto another network/service, and so on and so on? It looks like the initial point of compromise could, if they have breached any of their duties relating to security, be liable to everyone downstream who has been affected."
We have asked Ofcom for comment on this potential new power for it to wield but the regulator declined to comment, as did MobileUK, the trade association for mobile network operators. ®