Hot on the heels of several large data breaches and privacy scandals, the implementation of the General Data Protection Regulations (GDPR) on May 25 attracted huge interest, from media and industry alike. Each data breach is eagerly watched and scrutinised putting organisations under increased regulatory and reputational pressure.
Six months into the regime, and several data breaches, and a few trends are emerging. Data protection regulators are reporting large increases in data breach notifications and complaints – the UK’s Information Commissioner’s Office (ICO) has seen data breach notifications double in the first months of the GDPR.
In a speech delivered to the CBI Cyber Security Conference in September, ICO Deputy Commissioner James Dipple-Johnstone said that the regulator was receiving around 500 calls a week to its breach reporting hotline since the GDPR was enforced in May. However, the regulator said around a third of the calls to the ICO hotline do not meet the GDPR reporting threshold. The ICO says that it will now discourage the practice of “over reporting” and will issue further guidance in the future.
According to the ICO, some companies are struggling with the concept of breach notification as defined by the GDPR, which requires organisations to report a breach within 72 hours. It also says that some breach notification reports were “incomplete”, despite guidance that sets out what information is required. The ICO says that, while it recognises that not all the required information will be to hand in the first 72 hours, organisations must “plan ahead” and explain when missing information will be forthcoming.
The first months (potentially years) of the GDPR were always going to be a learning curve for companies and regulators alike. The GDPR is not prescriptive when it comes to data breach notification. Companies must assess if a breach is likely to result in a “high risk” of adversely affecting individuals’ rights and freedoms, and inform those individuals “without undue delay”.
The two biggest data breaches to fall under the GDPR – those of British Airways (BA) and Facebook –are a big test for the GDPR. A cyber-attack in late July compromised the data of 380,000 British Airways customers while in late September Facebook revealed that almost 50 million users may have had their personal data stolen. While BA was quick to notify affected customers, Facebook held off notifying individuals pending an internal investigation.
On the face of it, the Facebook data breach was more complex and more challenging to assess who was affected and the risk of harm. However, in a statement to media, Ireland’s Data Protection Commission expressed concern that Facebook's notification lacked detail and that the social media group had been unable to clarify the nature of the breach. Some two weeks after the initial report, Facebook downgraded the size of the breach to 30 million users and said that it would send notifications to affected users.
BA and Facebook could face large penalties under the GDPR – the maximum fine under the new regime is €20 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. Theoretically, Facebook could be hit with a US$1.6bn fine.
The ICO has shown that it is serious when it comes to penalising companies that break the rules. In recent months the ICO fined both Equifax and Facebook £500,000 each for serious breaches of data protection law. The fines were the largest possible under pre-GDPR legislation and would “inevitably have been significantly higher” under the GDPR, the ICO said.
As yet the ICO has not issued any fines for breaches under the new regime. However, it has sought to reassure companies that it aims to be fair. Recent large fines are said to reflect failings in the respective organisations’ own controls and culture. However, companies that take appropriate steps to protect personal data and prepare for a data breach, have little to fear from the ICO.
“If you take your responsibilities under the GDPR seriously, and have taken reasonable steps to protect that data in line with our security guidance, then we will recognise that. If you adopt privacy by design, treat cyber security as a boardroom issue, and demonstrate a robust culture with appropriate transparency, control and accountability for your and your customers’ data, then we will not usually have an issue with you should the worst happen,” Dipple-Johnstone told the CBI event.
Another trend to watch is the emergence of group actions related to data breaches. Recent data breaches, including British Airways and Facebook, as well as Ticketmaster, have attracted the attention of claimant solicitors. The UK’s first data breach group action was brought by employees of Morrisons – the supermarket group now faces a potential large compensation bill having recently lost its case in the Court of Appeal.
A number of European countries now allow forms of collective redress for data breaches, including the UK. Combined with the GDPR, group action frameworks make it easier and more cost effective for victims of a data breach to claim compensation, including non-financial damages, such as for the distress caused by a breach. It is likely that civil litigation will become a costly feature of large data breaches under the GDPR.
While early days for the GDPR, the UK regulator is taking the issue of privacy and data security seriously. The two known breaches under the GDPR – BA and Facebook - highlight the challenges of assessing whether to report a data breach, given the heated environment and potential for reputational damage. 72 hours is very little time to get a handle on a complex cyber-attack, while notifying individuals in the absence of detailed information could do more harm than good.
The ICO has made it clear that it expects companies to take data protection seriously and prepare for the worst. Companies that are best able to respond to a breach, mitigating the potential harm to individuals, will avoid the harshest penalties.
In addition to protecting the balance sheet against the potentially high costs of a breach, cyber insurance can include access to a panel of experts, who are able to advise and support clients through the process of assessing and reporting a data breach. QBE, for example, provides a 24/7 hotline with access to legal and IT specialists and crisis management consultants. The breach response service provided within a cyber policy includes support from a data protection lawyer who can help with guiding you through the GDPR process advising whether you need to notify or not, what information to provide and so on. QBE's breach response providers have extensive experience working with the ICO, therefore they understand how the ICO want to receive information, ensuring a smoother process of interaction. The support provided by the breach response providers should help limit the level of the potential fine.
In response to the growing threat to small-medium sized businesses QBE have added to their range of innovative SME insurances by launching QBE CyberCrime, the first e-trade product of its type on Acturis.
With over half of small and medium-sized firms having been the victim of at least one cyber breach in the last 12 months, QBE CyberCrime is designed to offer as much flexibility and protection as possible, going much farther than many standalone cyber covers. Cyber cover, Crime cover and Business Interruption cover can be bundled into one all-encompassing policy. And with more and more companies falling victim to impersonation fraud and other social engineering scams, Social Engineering Fraud cover can also be included to provide reassurance against fraudulent theft of money, property and goods. 24-hour specialist data breach support gives extra peace of mind, helping businesses get back up and running quickly in the event of an incident.
Brokers can now get an e-trade QBE CyberCrime quote on either Acturis or QBE’s FastFlow extranet.