Spotlight: Cyber Incident Reporting Obligations
Cyber incidents and potential cyber incidents trigger specific reporting obligations. Our DEG team take a closer look at recent reporting queries that have arisen in practice when it comes to incident reporting obligations.
Cyber incidents and potential cyber incidents (“incidents”) trigger specific reporting obligations, depending on an organisation’s sector. The number of authorities to which an organisation must report incidents varies. In this article, we shine a light on some reporting queries that regularly come up in practice, in the specific context of incident reporting obligations. We consider:
- The circumstances in which reporting obligations are triggered
- The regulatory authority to which information is required to be reported
- The nature and scope of the information to be reported; and
- Enforcement action that may arise.
GDPR
Controllers are required to report data breaches to the Data Protection Commission (“the DPC”), within 72 hours of becoming aware of the breach occurring (Article 33, Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”). An exception to the reporting obligation arises where the data breach is unlikely to result in a risk to the rights and freedoms of data subjects. Notification obligations include a description of the type of breach – and specifically whether the breach is a confidentiality, availability or an integrity breach of personal data. Controllers must also confirm the number of data subjects affected and any applicable remedies and mitigation steps deployed.
If a controller is not compliant with its GDPR reporting obligations in relation to the security of personal data and its notification obligations to the DPC and affected data subjects, it is potentially exposed to significant enforcement actions such as audits, cessation of processing orders and fines - up to a maximum fine of €20M or up to 4% of global turnover for undertaking the previous financial year. Compensation for privacy breaches is also a significant risk. Please see our article on “the right to compensation in privacy related claims” in this cyber bulletin for more information on this topic.
NIS Regulations
Operators of essential services, as defined in the NIS Regulations, have notification obligations in respect of incidents that have a “significant impact” on the continuity of essential services. The test for defining an incident as a “significant impact” is non exhaustive. The following key questions arise:
- The number of users affected by the incident
- The duration of the incident; and
- The geographical scope of the incident
Incidents should be reported within 72 hours to the National Cyber Security Centre, which is the home of Ireland’s national computer security incident response team. These obligations will become significantly more onerous when NIS2 comes into effect in Ireland on 17 October 2024.
Where operators of or essential service or digital service providers fail to notify a reportable incident, fines of up to €500,000 can issue.
E-Privacy Regulations
Providers of electronic communications networks and services must notify the Commission for Communications Regulations (“ComReg”) where an in scope breach has an impact of security networks or services. Where an incident results in a personal data breach, this must be notified to the DPC within 72 hours.
If the DPC determines that a breach of the E-Privacy Regulations has occurred, it does not have the power to impose any specific sanction for a breach. However, it can issue an enforcement notice or an information notice and a failure to comply could result in a criminal offence and/or a fine of up to €250,000. If a person is convicted of an offence, a court may order that any material or data connected with the commission of the offence to be forfeited or destroyed or any such data to be erased.
Guidance From the Central Bank of Ireland
Regulated firms in the financial sector are obliged to notify the Central Bank of Ireland when they become aware of an incident that could have a significant and adverse effect on the organisation’s ability to deliver services to its customers. In addition, where potential consequences may arise for a regulated entity’s reputation or financial condition, obligations to report to the Central Bank arise.
Reporting Obligations to An Garda Siochana
Reporting obligations exist for individuals who have information that may assist with the prevention of a crime. Reporting obligations also arise where a person knows or believes they have information that could secure the apprehension, prosecution or conviction of an offence (Section 19, Criminal Justice Act 2011).
Enforcement Actions
The majority of enforcement actions in Ireland are taken by the DPC and the Central Bank of Ireland. A noticeable trend in DPC decisions where fines have applied, relate to the controller’s failure to have security safeguards in line with Article 32, GDPR, in place. Emphasis is also placed on notification obligations. A flavour of DPC decisions include:
- A decision adopted in February 2023 regarding Bank of Ireland’s banking app, where the DPC decided that Bank of Ireland failed to comply with its security and reporting obligations. Fine: €750,000.
- A decision adopted in December 2022 in relation to a security breach at Fastway Couriers, where the DPC decided that Fastway Couriers, failed to comply with its security and notification obligations. Fine: €15,000; and
- A decision adopted in March 2022 in relation to security measures at Meta, where the DPC decided that Meta failed to comply with its security obligations. Fine: €17M.