Data Breach Notifications – Capsule Update
2022 was a record year for GDPR fines across Europe, with reported fines exceeding €1.6bn. That said, there is evidence of data breach reporting numbers levelling off. Deirdre Crowley examines why here and shares predictions on data breach reporting for the year ahead.
We see some interesting trends emerge from 2022 as we await the Data Protection Commission's ("DPC's") latest Annual Report. Data breach notifications appear to be levelling off or even declining in some areas. Cyber-crime related breach reporting is an exception to this trend in Ireland. Absent evidence based reasons for these trends, it may be that supervisory authorities are only documenting correctly recorded breaches or alternatively, that controllers breach reporting structures are maturing. It is also possible that organisations are more wary of reporting data breaches, given the risk of investigations, enforcement, fines and compensation claims that may follow.
Data breach reporting in the area of cyber-crime is expected to continue to climb in 2023. Emerging technologies and the enactment of an EU wide Artificial Intelligence Act in 2023 will also play a role in data breach reporting in 2023 and for the years to come. Human error and social engineering are likely to remain high as reasons for compromised entries to systems by bad actors using usernames and passwords unlawfully acquired. High levels of data breach reporting has also attracted regulatory attention. The DPC's fine of €463,000 in relation to Bank of Ireland resulted from an own volition inquiry when the DPC observed a pattern of breach notifications in similar circumstances. The DPC's annual report for 2021 (published in February 2022) confirmed 81 ongoing statutory inquiries, a clear indication that fines and other enforcement powers arising from inquiries will continue through 2023.
Data Breach Notifications
Figures provided in the 2021 DPC's annual report show not only a year on year reduction in breach notifications from 2020 to 2021 but potentially a downward trajectory in terms of data breach notification overall in Ireland.
The 2021 DPC Report confirmed a total of 6,549 valid data breaches in 2021. This figure is a levelling off in numbers of notifications and represents a modest increase of 2% (114) on the previous year.
Unauthorised disclosures accounted for the vast majority at 71% (4,728) of the total breach notifications made to the DPC. Other sources of data breaches were spread among a number of different types of breaches which accounted for only a small proportion of the overall figure. Examples include lost papers (219), phishing (71) and hacking (including ransomware) (197).
Breaches were spread amongst the public (2,707) and private (3,677) sector with a small proportion (232) coming from the voluntary and charity sector.
"Data breach reporting in the area of cyber-crime is expected to continue to climb in 2023. Emerging technologies and the enactment of an EU wide Artificial Intelligence Act in 2023 will also play a role in data breach reporting in 2023 and for the years to come."
Ransomware Attacks on the Increase
The 2021 DPC's annual report confirms a significant increase in ransomware attacks with the number doubling from 32 in 2020 to 67 in 2021.
In the 2022 Allianz and Ark Life DPC decisions, we see the DPC directing that controllers must have policies and personnel training specifically tailored to risk in place.
The number of phishing attacks reported by the DPC in the 2021 report remains consistent with previous figures.
The DPC issued a fine (€100,000) in December 2022 in respect of a data breach arising from a phishing attack. VIEC Limited ("VIEC") suffered a phishing attack whereby a third party gained access to residents personal data including health data.
In issuing the fine to VIEC, the DPC took into account the fact that it took VIEC four days to notify the DPC of the breach when Article 33 mandates notification within 72 hours and VIEC's failure to conduct regular testing of the system. The DPC held that VIEC was negligent in its failure to implement appropriate technical and organisational measures to protect personal data.
This fine follows on from a previous fine (€60,000) issued in December 2021 against the Irish Teaching Council for a breach arising from a phishing email.
The ICO in the UK also issued a significant fine (€5,033,000) against Interserve Group Limited in October 2022 for a similar issue.
The DPC has shown its willingness to fine organisations that cannot demonstrate effective security or privacy compliance resilience practices pre-cyber breach. We also see some notable fines against organisations that had appropriate GDPR policies and procedures in place, but that could not demonstrate their effective implementation.
In practice, we notice a clear expectation on the part of the DPC that documentation will be made available to it quickly in the course of an investigation, formal or informal, to demonstrate effective and responsible GDPR compliance management.
Meaningful prevention steps (both security and privacy compliance related) to target the gaps that give rise to the data incident first day, as well as damage limitation in the wake of a breach will differ depending on the business's sector and compliance posture.
In the Matheson Cyber, Data Protection and Technology Conference on 6 October 2022, DPC Assistant Commissioner Sandra Skehan mentioned the importance of tailored post incident mitigation steps to close security gaps and prepare for repeat attacks. On the privacy compliance side, these strategies include take down injunctions against persons unknown to prevent the onward processing of stolen data where it surfaces legitimately, targeted privacy compliance audits, reviews of privacy related roles and responsibilities, training, education and an ability to demonstrate a "baked in" privacy compliance culture across an organisation.
The author would like to credit Billy Casserly, senior associate for his support and assistance in researching and producing this article.