Important that controllers understand…
Human error is the main data breach trend under the new GDPR regime not cybersecurity incidents according the Irish Data Protection Commission (DPC).
The DPC has detailed the data breach trends it has observed during the first year of GDPR and unauthorised disclosure tops the list accounting for 83 percent of all reported breaches.
One controller reported a total of 7 incidents to the DPC where email accounts of staff members had been potentially compromised. A significant amount of personal data was involved, with various levels of risk presented to affected data subjects. These breaches, particularly their continued reoccurrence, were the result of the controller’s failure to have the appropriate technical and organisational measures in place to ensure the security of personal data stored within their IT environment
During the first year of GDPR, beginning on the 25 of May 2018, the Irish Data Protection Commission received 5,818 data breach notifications. The DPC notes that approximately 4 percent of all reported breaches were deemed to have not meet the definition of a ‘personal data breach’ when GDPR is applied.
Requirement of Notification
The DPC also notes that in GDPR’s first year 13 percent of the reported breaches ‘failed to satisfy the requirement of notification’, meaning that organisations reporting the loss of company and or customer data failed to do so in the 72 hours stipulated by GDPR.
Data breaches appear to be happening in all industries as the DPC’s Breach Assessment Unit has “Undertaken an analysis of breach notifications received from areas within the public and private sector, including those notified by: the financial sector; the insurance sector; the telecommunications industry; the healthcare industry; and law enforcement.”
Out of all the data breaches reported to the DPC, 83 percent were classified as an unauthorised disclosure. This occurs when an organisations or employee sends sensitive or personal data to the wrong recipient via an SMS message or email.
This category may be so high as the DPC is also including within this bracket all of the erroneous disclosures that happen through customer online portals and by processing errors. Sending a physical letter containing sensitive data to the wrong person is also classified as an unauthorised disclosure.
Data Breach Trend
An attack by a threat actor causing a cybersecurity incident is responsible for just 7 percent of reported breaches to the Irish data authorities.
Surprisingly stolen or lost devices only account for 2 percent of breaches, whilst lost or stolen documents and papers make up 5 percent.
The Irish Data Protection Commission is warning data handlers and controllers that they have clear obligations under GDPR to report data breaches accurately and within a set time frame.
“It is important that controllers understand that once they have been made aware of a personal data breach, a timetable is set in motion,” the commission warns.