My Lords, this amendment is designed to protect small businesses from cyberattacks. I was really pleased to hear about the knowledge of the noble Lord, Lord Mendelsohn, on this issue. I wish I had been at the conference which he described and I agree with his objective of amplifying the issue, especially in relation to small business. I also agree with him about the role of the City of London Police.
When I worked in business, an attack on personal data held by the company was one of my top risks and concerns. Recent events demonstrate that businesses need to take action on cybersecurity and can benefit from external advice and guidance. I think it is fair to say that the Government are doing a great deal in partnership with industry on cybersecurity. We have a strong strategic programme in place, which is right. There is a five-year plan for an £860-million national cybersecurity programme to provide a range of advice and guidance to businesses of all sizes, including a specific guide, Small Businesses: What you need to know about Cyber Security. I have copies of that guide.
We have stepped up this activity recently by relaunching the “Cyber Streetwise” campaign, which offers small businesses clear and simple advice on how to protect themselves. There is information in the press and the Committee may have seen advertising at train stations or on the tube. In addition, the Government’s “Cyber
Essentials” scheme shows small businesses how to protect themselves against common cyberthreats. Since October 2014 the Government have required their suppliers to hold a Cyber Essentials certificate if they are handling personal data or sensitive information. That is all increasing awareness by amplification. There are more than 1,000 Cyber Essentials certificates, which have been issued to big organisations such as Vodafone, JCB, Barclays, the Royal Mail and BAE, as well as to colleges, universities and so on. We are working to get thousands of companies and their supply chains to adopt the scheme.
Our approach is to work with a range of law enforcement and other bodies to build partnerships with businesses, representatives and trade bodies, and to use these to increase awareness. We do not believe that the suggested amendment, which I think is mainly probing, goes beyond the existing approach in ambition or effectiveness. Putting guidance into legislation could result in a tick-box approach where guidance is merely published without the associated awareness-raising, partnership-building and behaviour change that is completely essential in this area.
We want to avoid unnecessary regulation. The amendment would create uncertainty as to what businesses were legally required to do and what was best practice, possibly even giving rise to litigation. It could also reduce our flexibility in dealing with what is, frankly, a very fast-moving issue. I think we were all astonished by the Sony leak and by recent events in the UK. We are not convinced that legislating in this Bill is the right thing to do. Following the information leak at TalkTalk, though, a committee of the National Security Council is now looking at this. Cyber Ministers are looking as a group at what further changes are needed. In addition the Digital Economy Minister, Ed Vaizey, promised last week that we would meet the Information Commissioner.