Research shows prevalence of data security breaches and need for planned response

A number of reports including one by Experian ‘Data Breach Readiness 2.0’ questions whether 2014 can be dubbed as ‘The Year of the Data Breach’. This is an especially important question because as has been pointed out “it doesn’t matter whether you are big or small. If you have an IP address and are connected to the internet, you are fair game as far as hackers and cyber-criminals are concerned” (Nick Prescott of Blackthorn Technologies).

Main findings

Research into the prevalence of data breaches shows:

  • One fifth or 17% of UK organisations suffered at least one data breach in the last two years;
  • The ICO has issued warnings to a number of sectors including legal and healthcare professions regarding the rise of data breach incidents;
  • The majority of businesses (over 80%) have concerns about the impact data breaches will have in terms of legal and regulatory action, financial impact, branding and trust from customers;
  • More than four in ten (42%) have been affected by a breach in some way;
  • 64 % of British adults are concerned about falling victim to a data breach, which would affect their opinion of the organisation (including advising others against it). Additionally, over 80% of customers believe that businesses should provide training for employees, have policies in places to prevent data breaches, be subject to increased regulation and be penalised when compromising data; and
  • The cost of lost business accounts for around 43% of the total cost of a data breach, which has increased by 22% since 2011.

Businesses are broadly confident regarding their preparedness to respond to:

  • Theft or loss of sensitive and confidential information which requires notification to victims and regulators (79%)
  • Loss of customers’ and business partners’ trust and confidence (81%);
  • Negative media and public sentiment (76%).

However, with regard to preparedness not all is as it seems, Data Breach Readiness 2.0 by Experian found that:

  • 34% of businesses do not have a data breach plan in place;
  • Even those that do, it is not comprehensive as 23% do not include crisis communications or 27% legal support and 63% do not include digital forensics;
  • Only 33% have specific budgets set aside to deal with data breaches;
  • Less than 61% have reporting procedures in place for lost data or devices;
  • Less than half (43%) have data breach or cyber insurance policies in place;
  • Only 47% would notify customers ‘as quickly as possible’ following a data breach; and
  • Less than a quarter (21%) would offer an identity protection service to existing customers and only 10% would offer a credit monitoring service.

What are the causes?

One of the main causes of data breaches in the digital age is cyber security incidents. Research shows that in one single day in February 2015; more personally-identifiable data was illegally traded on the dark web than in a three month period in 2014.

Figures already indicate that cyber threats are contributing to data breaches, as in 2014 there were 42.8million cyber security incidents, which is the equivalent of over 117,000 incoming cyber attacks occurring each day. The 2014 Information Security Breaches Survey by PwC indicates that there is a 64% increase in the number of incidents detected by medium-sized organisations. At the same time there are as many as 71% of compromises that go undetected.

In responding to the ever increasing cyber threats, as the saying goes: if you fail to plan, you plan to fail. In this regard, research indicates that underestimating the complexities of planning does impact on delivering an effective and comprehensive data breach response. In particular, organisations that have already been affected by a breach are generally better prepared.

Organisations with experience of recent breaches are twice as likely better prepared for any repeat by taking different measures including; increased investment in security technologies, having policies and teams in place to deal with a data breach and having a data breach response plan.

Preparing and responding to data breach

Experience of those organisations who have faced a data breach indicates how exceptionally important planning is to prepare, manage and respond to data breaches. In this regard, organisations should consider their internal systems, processes and procedures to ensure that they have mechanisms in place to contribute to prevention, managing and responding to data breaches. This may include considering issues as wide ranging as having:

  • Policies in place and providing sufficient training to staff;
  • Sufficient internet security safeguards to detect and block threats;
  • Specialised cross-organisational teams in place to manage and respond to data breaches including engaging management and external expertise;
  • A data breach response plan including self-reporting;
  • Specific budgets set aside for data breaches; and
  • Insurance policies to cover breaches or cyber attacks.

According to English law, only public electronic communication services (Internet Service Providers and telecommunications operators) are under an obligation to self-report data breaches. This is a requirement to report the breach to the Information Commissioner’s Office (ICO) and to the individual in cases where the security breach is likely to “adversely affect the personal data or privacy” of that individual. As such the majority of organisations are not under an obligation to self-report or inform the data subject of the breach.

However, if an organisation keeps a data breach quiet that is not a risk free strategy as the ICO has the power to issue monetary penalties of up to £500,000 for serious breaches of data protection legislation. Further, in its guidance the ICO says that all serious security breaches should be reported and such voluntary self-reporting has been considered by the ICO as a mitigating factor when determining the amount of penalties given to an organisation for data breaches. Concealing a data breach from the ICO can also result in the penalty being increased.

The ICO considers having a proper data breach response plan to be part of complying with the seventh data protection principle which requires adequate technical and organisation security measures to protect personal data from loss or corruption. Preventative measures are important but so are steps to identify and respond to a breach if it does happen.

An additional aspect to be considered in this area is the fact that the legal landscape is due to change. At EU level, member states are in the process of agreeing the terms of a new General Data Protection Regulation, which is likely to bring key changes including; mandatory reporting for all organisations of data breaches and increased penalties for breaches of up to £100million or 5% of annual turnover of an organisation. While it may take some time for the new Regulation to come into force organisations should consider their processes so that they have the necessary planning in place in order to prevent, manage and respond whether through self-reporting or mandatory reporting.

A further important aspect to consider is that the right to privacy and data protection has been perceived as conflicting with the objective of cyber-security. According to Giovanni Buttarelli, the European Data Protection Supervisor this would be a misperception as “security of data…has always been a crucial element of data protection”. However, he recognises that the objective of cyber-security may be used to weaken the rights of data subjects and in this regard he says has that “cybersecurity must not become an excuse for disproportionate processing of personal data”. Therefore, organisations need not only ensure they have sufficient safeguards in place to ensure cybersecurity, they also need to strike a balance when it comes to data protection principles such as necessity and proportionality.

If you would like advice on data protection law and practice including how to prepare, manage and respond to data breaches please contact Daniel Milnes.

Nat Avdiu

About Nat Avdiu

Nat Avdiu is a Paralegal in the Contracts and Projects team at Forbes Solicitors. Nat provides updates for clients on a range of issues including: governance, data protection and freedom of information, procurement and charity law.
This entry was posted in Corporate & Restructuring, Housing Litigation, Sports Law and tagged , , , , , , , .