“Regulators are stretched and have a large backlog of notified breaches in their inboxes.”
Since the European Union’s GDPR legislation came into force in May 2018, over 59,000 data breaches have been reported to European data protection authorities.
This is the findings of a new report from global law firm DLA Piper which found that the UK data protection authority, the Information Commissioners Offices (ICO), received over 10,000 breach notifications in the last eight months.
The severity of the breach notifications range from incorrectly sent emails to major breaches such as the recent Airbus hack.
The EU country with the most reported breaches is the Netherlands with over 15,000, while Germany comes in second with more than 12,500. The UK came in third with 10,600 reports and was followed by Ireland, which reported nearly 4,000 breaches in the same period.
GDPR Breach Fines
So far only 91 fines have been imposed as part of the new GDPR regulations as many of the fines issued over the last year relate to cyber incidents that occurred pre-GDPR. €50 million is the largest fine to date and was handed by the French data authority CNIL to Google in relation to how their processed their users personal data.
Other fines noted by the report include a €20,000 fine for a German enterprise that did not hash its employee’s passwords, a security which then led to a security breach. A company in Austria, meanwhile, was fined €4,800 for excessive use of CCTV cameras that overview a public pathway.
The fines currently issued are expected to be just the start of a flood of fines as regulators and data protection authorities get used to the new system and begin the time consuming process of evaluating each report.
The DLA Piper report notes that: “Regulators are stretched and have a large backlog of notified breaches in their inboxes. Inevitably the larger headline grabbing breaches have taken priority when allocating resources, so many organizations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified.”
Commenting on the report, Sam Millar, a partner at DLA Piper specializing in cyber and large scale investigations said: “The regulators have already started to flex their muscles with 91 GDPR fines imposed to date but the fine against Google is a landmark moment and is notable partly because it is not related to personal data breach. We anticipate that regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm to individuals. We can expect more fines to follow over the coming year as the regulators clear the backlog of notifications.”
Ross Brewer, VP & MD EMEA, LogRhythm, said: “What’s important is that businesses do not become complacent. The GDPR regulations were enforced to improve data protection and regulators will have no qualms about penalising those that aren’t complying. Cybercriminals are using increasingly sophisticated tactics and are becoming more persistent every day, and businesses – if they’re not already – need to ensure they are fully prepared. Only by using the right vendors and investing in the right technology that can keep up with the threat landscape effectively, such as NextGen SIEM, User and Entity Behaviour Analytics (UEBA), and Security Orchestration, Automation and Response (SOAR), will businesses be able to detect and mitigate threats as quickly as they need to, and avoid the regulators’ wrath.”