Lawyers have taken issue with claims by TalkTalk boss Dido Harding that the telco was under no legal obligation to encrypt customers' sensitive data.

Harding's comments came on Sunday, three days after TalkTalk admitted a breach on its systems that may have exposed the personal details, including bank information, of up to four million customers. TalkTalk failed to encrypt all user data. Partial details of credit card numbers as well as names, addresses, dates of birth, phone numbers, and email addresses were therefore exposed, leaving customers potentially more at risk from ID fraudsters and other crooks who gain access to copies of stolen data as a result.

The 1998 Data Protection Act only goes as far as implying that UK organisations should consider encrypting sensitive customer information, but no "explicit" obligation is demanded under UK law, as previously reported. However, technology lawyers Kemp Little reckon TalkTalk's apparent failure to establish adequate controls (encrypting data or not) counts against them.

Mahisha Rupan, senior associate at Kemp Little, explained: "There is a legal obligation for companies to implement suitable security measures to prevent personal data from being accidentally or deliberately compromised. It is important to stress that companies are not obliged to have state-of-the-art security technology; they only need to have security that is appropriate to the type of data they are holding and the harm that may result from the loss of that data.

"If there has been a breach of data protection laws, the ICO [Information Commissioner's Office] are likely to take into account TalkTalk's response to the breach and its attempt to limit any losses incurred by the customer. New EU data protection laws currently being negotiated will likely contain a legal requirement for companies to notify data protection authorities within 24 to 72 hours of becoming aware of the breach," she added.

TalkTalk's share price slumped in the immediate aftermath of the breach. The effect for shareholders might have been even more severe if the breach had happened in the aftermath of tougher European data protection laws currently edging closer to becoming European law.

Alex Cravero, commercial associate at Kemp Little, added: "If personal data has been stolen, then a notification will be required to the ICO and there is a chance that TalkTalk will suffer fines as a result. At present, the ICO is permitted to fine up to £500,000. If this happened with the GDPR [General Data Protection Regulation] in place, TalkTalk could be looking at significantly greater fines of up to €100 million or 5 per cent of annual turnover."

Kemp Little advises many of the UK's biggest businesses, numerous Fortune 500 companies, and smaller, fast-growing startups from the Tech Track 100. ®

The Register has created a timeline of TalkTalk's contradictory comments following on from the initial announcement of a website outage.