UK Data Breach Reports DeclineAs GDPR Hits Second Anniversary, Regional Reporting Variations Continue
Britain's privacy watchdog reports it received 19% fewer data breach notifications in the first quarter than it did in the same period last year.
The U.K. Information Commissioner's Office enforces the EU's General Data Protection Regulation in Britain, which went into full effect on May 25, 2018, as well as Britain's Data Protection Act 2018.
Under GDPR, organizations that suffer a data breach involving personally identifiable information must alert the relevant regulator within 72 hours of learning of the breach.
Since GDPR came into full effect, the number of data security incidents being reported to the ICO has continued to decline. From January to March, the Information Commissioner's Office received reports of 2,629 data security incidents, compared to 3,263 incidents during the same period in 2019.
Those results come from the latest data security incident trends report released by the ICO. "These figures are based on the number of reports of personal data breaches received by the ICO" during that time period, the regulator says, adding that they are "based on the number of reports submitted by the data controller, not necessarily the number of incidents."
Should the decline in security incidents be cause for concern - for example, that organizations are not reporting breaches to the extent that they should be?
"I don’t see the decline in reported incidents as being odd," says Brian Honan, president of Dublin-based cybersecurity consultancy BH Consulting. He says he's seen organizations getting more skilled at knowing when to notify.
"At the beginning of GDPR, many regulators faced the issue of companies overreporting incidents," Honan tells Information Security Media Group. "This overreporting was primarily due to companies not understanding when they actually need to report a breach. Now that those companies are more familiar with the GDPR requirements, and thanks to breach guidance issued by supervisory authorities and ENISA [European Union Agency for Cybersecurity], companies better understand under what circumstances they should report a breach."
'Other Cyber Incidents' Increase
Comparing the first quarter of 2019 with the same time period in 2020, the ICO says it saw changes in terms of the quantity of each type of reportable cybersecurity incident that it tracks.
- Hardware/software configuration as a root cause increased by 85%, from 5 to 33 incidents.
- Phishing as a cause of breaches increased 27%, from 205 to 280 incidents.
- Ransomware increased from 43 to 60 incidents, or by 28%.
- Unauthorized access declined by 111% from 369 to 175 incidents.
- Malware held steady at nearly 20 attacks.
- Brute-force continued to be involved in only a handful of incidents.
In the first three months of the year in Britain, the healthcare sector reported the most number of breaches of any sector. Of 419 health data breaches, 148 of them - or 35% - were classified being an "other non-cyber incident." Across all sectors, the cause of 27% of all reported breaches was similarly labeled with that non-cyber catch-all.
Other industries reporting the most breaches in the first three months of this year were education, finance, legal, local government, general businesses, retail and manufacturing.
Overall, the second most-common breach cause was data being emailed to the wrong recipient, followed closely by phishing, data being mailed or faxed to the wrong recipient, and loss/theft of paperwork or data left in an insecure location.
"Many of the reported breaches can be attributed to human error or basic security controls failing, and many organizations would greatly reduce the incidents they experience by ensuring staff are trained properly in the tools and platforms that they use during their jobs," says Honan, who's a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol.
"Too often, companies expect people to know how to use email, or other technologies, without providing them with appropriate training to ensure they have those basic skills," he says. "In addition, developing an effective security awareness culture can empower staff to identify threats and risks and deal with them appropriately."
ICO Fines Issued in Last Quarter
In the first three months of this year, the ICO issued just two fines, both for incidents that occurred before GDPR enforcement began on May 25, 2018.
- January 2020: DSG Retail Limited fined £500,000 ($609,000) after a point-of-sale malware attack exposed information for at least 14 million individuals.
- March 2020: Cathay Pacific Airways fined £500,000 for a data breach that ran from October 2014 to May 2018, exposing customers' personal data. "Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed," the ICO says.
"Only one fine has as yet been issued by the ICO under GDPR in the two years it has been in place," says Jon Baines, an attorney at London-based Mishcon de Reya. "This is in notable contrast to some of the ICO’s peer supervisory authorities. Germany and Spain have issued more than 20 [fines], for instance, while France and Italy have each issued around 10."
Britain's one GDPR fine to date was issued on Dec. 17, 2019, against London-based Doorstop Dispensary, for £275,000 ($335,000), after it stored patient records in a "careless" manner that led to them suffering water damage.
GDPR Enforcement: Regional Variations Continue
Different countries continue to impose markedly different numbers of fines under GDPR.
Numerous technology giants have their headquarters in Ireland, for example, including Apple, Facebook and Google. But Ireland's Data Protection Commission had yet to issue a GDPR fine until this week. In February revealed that it did have 21 open inquiries into several of the world's largest technology firms (see: Irish Privacy Report Gives Glimpse Into GDPR Investigations).
On Sunday, Ireland's DPC fined the government's child and family agency, Tusla, €75,000 ($82,000), for three cases in which information about children was incorrectly disclosed to third parties.
GDPR Fines: 2019 Trends
In January, law firm DLA Piper reported that in 2019, France, Germany and Austria topped the rankings for the total value of GDPR fines imposed in 2019 with just over €51 million ($55.6 million), €24.5 million ($27 million) and €18 million ($19.6 million) respectively.
In terms of the greatest number of data breaches disclosed to regulators in 2019, the leading countries were the Netherlands, Germany and the U.K., with each respectively accounting for 40,647, 37,636 and 22,181 notifications, DLA Piper reported.
"GDPR has driven the issue of data breach well and truly into the open," Ross McKean, an attorney at DLA Piper, said in January.
But clearly, regional variations continue. "The interesting thing I see is that the number of data leaks reported decreases every quarter in the U.K., while other countries like Germany, the Netherlands, Denmark, Sweden, etc., show more than 50% plus increases," says Rick Goud, CEO of Amsterdam-based email and file security vendor Zivver. "Per inhabitant, the U.K. was already reporting about 10 times fewer data leaks than the 'top' countries."
The ongoing COVID-19 pandemic may increase those variations. The ICO has said it will be taking a more flexible, "empathetic and pragmatic approach" for as long as the pandemic continues. The regulator says it expects to investigate and conclude fewer cases during the pandemic (see: GDPR and COVID-19: Privacy Regulator Promises 'Flexibility').