Cyber breach and enforcement trends in 2020
Fieldfisher privacy specialist Kirsten Whitfield answers questions about common data breaches and the reaction of regulators in Europe in 2020.
In the run-up to the GDPR coming into force, the anticipated increase in the number and severity of fines combined with a raft of new and enhanced data protection obligations created a stir.
Some organisations sprang into action, mapping their data flows, polishing policies, rolling out training and so on. Others took a much more relaxed approach – after all, they had managed to fly under the radar of regulatory scrutiny before and why should the GDPR change that?
The GDPR has now been in place for more than two years and data protection regulators have had time to get into the swing of things when it comes to enforcement.
How is enforcement by data protection regulators panning out and is it really the major risk predicted – or are there bigger risks to the bottom line?
When looking at enforcement trends, although a few whopping fines have been issued, most have been relatively modest in size and relatively few have been levied, when you consider the large number of security breach notifications and complaints from individuals that data protection authorities (DPAs) across Europe have been dealing with.
The reality is that DPA fines are, in most cases, not the biggest threat to the bottom line. A greater threat for many businesses is loss of confidence in an organisation once a GDPR breach, often cyber security-related, becomes public knowledge.
This can and regularly does drastically impact share prices and drive away business, although there is some evidence that memories can be short and share prices can and do recover following a breach.
Recently, another threat has become more prominent that could eventually eclipse the risk of DPA enforcement; this threat is the 'representative claim'.
This threat needs to be taken seriously is because a representative claim does not require claimants to 'opt in'. Rather, this type of claim can be brought by a person or organisation on behalf of the 'wronged' class of people without their consent – and they are automatically 'in' as long as they have a common cause of action.
This is different to other more 'traditional' class action style claims, such as the one brought by Morrisons employees following the theft and publication of their data by a vindictive employee. This was a claim in which, thankfully, common sense prevailed in the Supreme Court where it was held that Morrisons could not be held vicariously liable for the actions of this rogue employee.
The precedent for the representative claim was set by the Lloyd v Google case, also known as the 'Safari workaround' case, which centred on transparency for data collection. This was a successful 'representative claim' by Lloyd on behalf of more than four million Apple iPhone users who were held to have in common that they lost control of their data.
In this case it was also held that individuals needn't have suffered any financial damage to have a claim.
Aside from there being no need for individuals to 'opt in' to the representative claim, there being no need to show any financial loss makes this type of claim very attractive to claimants for security breaches. This is because it can be very difficult to prove that you suffered specific financial loss or other damage as a direct result of a particular security breach.
It is not such a big leap to see how this could be applied to large-scale security breaches.
This is exactly what has happened in the recently launched claim against Marriott. Here, a claim is being brought by a journalist relating to the compromise of a reported 339 million guest records when the Starwood hotel systems were infiltrated in 2014.
Marriott unknowingly 'inherited' the breach when it bought Starwood in 2016. On discovering the breach in 2018, Marriott reported it to the Information Commissioner's Office (ICO), the UK's data protection regulator.
With numbers in the thousands and millions, just a small sum of damages per person soon adds up to astronomical sums.
What are organisations most likely to be fined for under GDPR?
Judging by almost daily headlines on data breaches, you would be forgiven for thinking that that the DPAs have been busy since the GDPR was ushered in, issuing fines for GDPR security failings.
However, when we look at enforcement across Europe (to the extent that this is possible, given not all DPAs in Europe make their enforcement action public), we see a different picture.
GDPR fines from DPAs across Europe (that have been publicised) have now exceeded the €200 million mark.
Some DPAs issued large fines in the millions of euros (such as the French and Italian DPAs) and others have doled out more modest fines in the thousands of euros, such as the Spanish DPA, which has been busy issuing a rash of smaller fines.
The majority of these fines relate to failings to respect the GDPR rights of individuals, such as the right to know what is happening with your data or the right to access it. Fines for security breaches are in the minority.
When looking at the ICO's annual report it is surprising to see that, in the UK at least, of the data breaches reported the vast majority are not in fact cyber breaches but non-cyber incidents – for example, accidental disclosures of personal data or failing to set the right access controls.
Do smaller organisations really get to fly under the radar?
It is a misconception that unless your organisation is a giant household name, you needn't worry too much about getting fined by a DPA.
DPAs are looking closely at some big companies with big data and testing their privacy metal, but they are not the only ones drawing the eye of the DPAs in Europe.
Many smaller organisations, which most of us have probably never have heard of, have landed themselves in hot water with DPAs.
It is also surprising how often failure to cooperate with a DPA's investigation is cited in a write-up of the enforcement action taken. Had the organisations been more cooperative, would their fines have been lower or even non-existent?
What are the biggest cyber security threats?
It may come as a surprise that Department for Digital, Culture, Media and Sport's (DCMS) Cyber Security Breaches Survey 2020 reveals that in the UK, ransomware attacks, which often receive considerable publicity (including some of it from the protagonists themselves), only accounted for 8% of those breaches for business and 10% for charities.
The heavy reliance on remote working technology forced by the Covid-19 lockdown has left workforces more vulnerable to malicious attacks than ever.
According to the Ponemon Institute's 2020 study results, a large proportion of those surveyed thought that a rise in remote working would increase the time it takes to identify and contain a potential breach and the cost of a breach.
This correlation makes sense because a swift and effective breach response helps reduce the cost of a breach. This is underscored by Ponemon's findings, which highlight how a well-prepared incident response team can dramatically cut the cost of handling a breach.
DCMS' Cyber Security Breaches Survey 2020 also reveals that on average almost half of businesses (46%) and a quarter of charities (26%) report having some kind of cyber security breach or attack in the last 12 months.
When looking at size of organisation, the highest proportion of attacks were against large firms, at 75% in the past 12 months. Of those breaches or attacks, by far the largest proportion were the result of fraudulent emails or being directed to fraudulent websites (86% for businesses and 85% for charities).
How has the pandemic impacted enforcement?
From enforcement figures across Europe, we see that that pandemic has not only had an impact on cyber breach risks but also on how DPAs have enforced during this time.
Early on, a number of regulators publicly stated they would take the pandemic into account when considering enforcement action, albeit some with the clear caveat that the pandemic cannot be an excuse for poor compliance.
In step with this, when looking at fines issued across Europe, there was a noticeable slowdown in fines from March through to May 2020. Remote working and reduced resources potentially also had an impact on DPAs and contributed to the slowdown.
The pace of fines then started to pick up again from June, with DPAs seemingly getting back to 'business as usual' when it comes to issuing fines.
Which data protection regulators are fining the most?
The top five countries for GDPR fines by total value and in this order are: Italy, France, Germany, Austria and Sweden.
The UK comes very low in the rankings and is nowhere near the top five at present. In fact, based on the ICO's annual report for 2019/2020, we see that when it comes to security breaches handled, 95% resulted in no further action being taken and only 0.03% actually resulted in a fine.
The ICO issued a couple of 'intention to fine' press statements back in July 2019 relating to the British Airways and Marriott security incidents. Neither has been issued yet. The proposed amounts £183,390,000 and £99,200,396 respectively would have shot the UK to the top of the leader-board for size of GDPR fines.
But since these figures were mooted, the circumstances of the travel and hospitality sectors have changed drastically as a consequence of the pandemic.
IAG (the owner of BA) indicated in its most recent half-yearly results reveals that BA has reserved 22 million euros for the data breach – a dramatic reduction of the originally anticipated fine. The changed fortunes of both BA and Marriott could result in dramatically lower fines from the ICO.
Which sector is top of the 'leader-board' for fines?
Particularly noticeable are the number of fines that DPAs across Europe have issued in the health sector – against healthcare providers.
The ICO's published data on enforcement action in 2020, the DCMS' Cyber Breach Survey 2020 results and the 2020 Ponemon survey findings on the cost of a breach all point towards the health sector being particularly vulnerable.
It is easy to see how smallish organisations in this sector, with limited resources to dedicate to security and training but with responsibility for sensitive health data, could be more vulnerable to a security breach and to DPA enforcement when it occurs.
To compound the issue, Ponemon also reports that the average cost of breach was, for the tenth year running, highest in the health sector (across the 524 organisations in 17 countries surveyed for their 2020 survey).
Have there been any fines for failing to notify breaches within GDPR required timescales?
There have been a number of fines from DPAs that mention the timing of notification.
Generally, however, either there was no notification at all or it was very late. A few days of delay does not appear to be a big issue for DPAs.
What are the common cyber security failings leading to fines?
Overall, DPAs are not interested in punishing organisations that tried diligently to keep up with the times and secure their systems.
Fieldfisher's privacy team regularly sees clients receive a 'no further action' result from DPAs when they have been able to demonstrate that they really did do what they reasonably could. After all, even with the deepest pockets, could any organisation really say their data is 100% secure?
What DPAs really get worked up about are failings that are often affordable and avoidable.
For example, setting and maintaining proper internal access controls, implementing two factor authentication to reduce the risk of malicious infiltration are affordable measures most companies can take, while holding on to data long past its expiry date and failing to carry out sufficiently detailed due diligence on providers that have access to personal data are failings that can reasonably be avoided.
Kirsten Whitfield is a director in Fieldfisher's leading privacy, security and information team. For more information on our expertise in this area, please visit the privacy pages on the Fieldfisher website.
In the run-up to the GDPR coming into force, the anticipated increase in the number and severity of fines combined with a raft of new and enhanced data protection obligations created a stir.
Some organisations sprang into action, mapping their data flows, polishing policies, rolling out training and so on. Others took a much more relaxed approach – after all, they had managed to fly under the radar of regulatory scrutiny before and why should the GDPR change that?
The GDPR has now been in place for more than two years and data protection regulators have had time to get into the swing of things when it comes to enforcement.
How is enforcement by data protection regulators panning out and is it really the major risk predicted – or are there bigger risks to the bottom line?
When looking at enforcement trends, although a few whopping fines have been issued, most have been relatively modest in size and relatively few have been levied, when you consider the large number of security breach notifications and complaints from individuals that data protection authorities (DPAs) across Europe have been dealing with.
The reality is that DPA fines are, in most cases, not the biggest threat to the bottom line. A greater threat for many businesses is loss of confidence in an organisation once a GDPR breach, often cyber security-related, becomes public knowledge.
This can and regularly does drastically impact share prices and drive away business, although there is some evidence that memories can be short and share prices can and do recover following a breach.
Recently, another threat has become more prominent that could eventually eclipse the risk of DPA enforcement; this threat is the 'representative claim'.
This threat needs to be taken seriously is because a representative claim does not require claimants to 'opt in'. Rather, this type of claim can be brought by a person or organisation on behalf of the 'wronged' class of people without their consent – and they are automatically 'in' as long as they have a common cause of action.
This is different to other more 'traditional' class action style claims, such as the one brought by Morrisons employees following the theft and publication of their data by a vindictive employee. This was a claim in which, thankfully, common sense prevailed in the Supreme Court where it was held that Morrisons could not be held vicariously liable for the actions of this rogue employee.
The precedent for the representative claim was set by the Lloyd v Google case, also known as the 'Safari workaround' case, which centred on transparency for data collection. This was a successful 'representative claim' by Lloyd on behalf of more than four million Apple iPhone users who were held to have in common that they lost control of their data.
In this case it was also held that individuals needn't have suffered any financial damage to have a claim.
Aside from there being no need for individuals to 'opt in' to the representative claim, there being no need to show any financial loss makes this type of claim very attractive to claimants for security breaches. This is because it can be very difficult to prove that you suffered specific financial loss or other damage as a direct result of a particular security breach.
It is not such a big leap to see how this could be applied to large-scale security breaches.
This is exactly what has happened in the recently launched claim against Marriott. Here, a claim is being brought by a journalist relating to the compromise of a reported 339 million guest records when the Starwood hotel systems were infiltrated in 2014.
Marriott unknowingly 'inherited' the breach when it bought Starwood in 2016. On discovering the breach in 2018, Marriott reported it to the Information Commissioner's Office (ICO), the UK's data protection regulator.
With numbers in the thousands and millions, just a small sum of damages per person soon adds up to astronomical sums.
What are organisations most likely to be fined for under GDPR?
Judging by almost daily headlines on data breaches, you would be forgiven for thinking that that the DPAs have been busy since the GDPR was ushered in, issuing fines for GDPR security failings.
However, when we look at enforcement across Europe (to the extent that this is possible, given not all DPAs in Europe make their enforcement action public), we see a different picture.
GDPR fines from DPAs across Europe (that have been publicised) have now exceeded the €200 million mark.
Some DPAs issued large fines in the millions of euros (such as the French and Italian DPAs) and others have doled out more modest fines in the thousands of euros, such as the Spanish DPA, which has been busy issuing a rash of smaller fines.
The majority of these fines relate to failings to respect the GDPR rights of individuals, such as the right to know what is happening with your data or the right to access it. Fines for security breaches are in the minority.
When looking at the ICO's annual report it is surprising to see that, in the UK at least, of the data breaches reported the vast majority are not in fact cyber breaches but non-cyber incidents – for example, accidental disclosures of personal data or failing to set the right access controls.
Do smaller organisations really get to fly under the radar?
It is a misconception that unless your organisation is a giant household name, you needn't worry too much about getting fined by a DPA.
DPAs are looking closely at some big companies with big data and testing their privacy metal, but they are not the only ones drawing the eye of the DPAs in Europe.
Many smaller organisations, which most of us have probably never have heard of, have landed themselves in hot water with DPAs.
It is also surprising how often failure to cooperate with a DPA's investigation is cited in a write-up of the enforcement action taken. Had the organisations been more cooperative, would their fines have been lower or even non-existent?
What are the biggest cyber security threats?
It may come as a surprise that Department for Digital, Culture, Media and Sport's (DCMS) Cyber Security Breaches Survey 2020 reveals that in the UK, ransomware attacks, which often receive considerable publicity (including some of it from the protagonists themselves), only accounted for 8% of those breaches for business and 10% for charities.
The heavy reliance on remote working technology forced by the Covid-19 lockdown has left workforces more vulnerable to malicious attacks than ever.
According to the Ponemon Institute's 2020 study results, a large proportion of those surveyed thought that a rise in remote working would increase the time it takes to identify and contain a potential breach and the cost of a breach.
This correlation makes sense because a swift and effective breach response helps reduce the cost of a breach. This is underscored by Ponemon's findings, which highlight how a well-prepared incident response team can dramatically cut the cost of handling a breach.
DCMS' Cyber Security Breaches Survey 2020 also reveals that on average almost half of businesses (46%) and a quarter of charities (26%) report having some kind of cyber security breach or attack in the last 12 months.
When looking at size of organisation, the highest proportion of attacks were against large firms, at 75% in the past 12 months. Of those breaches or attacks, by far the largest proportion were the result of fraudulent emails or being directed to fraudulent websites (86% for businesses and 85% for charities).
How has the pandemic impacted enforcement?
From enforcement figures across Europe, we see that that pandemic has not only had an impact on cyber breach risks but also on how DPAs have enforced during this time.
Early on, a number of regulators publicly stated they would take the pandemic into account when considering enforcement action, albeit some with the clear caveat that the pandemic cannot be an excuse for poor compliance.
In step with this, when looking at fines issued across Europe, there was a noticeable slowdown in fines from March through to May 2020. Remote working and reduced resources potentially also had an impact on DPAs and contributed to the slowdown.
The pace of fines then started to pick up again from June, with DPAs seemingly getting back to 'business as usual' when it comes to issuing fines.
Which data protection regulators are fining the most?
The top five countries for GDPR fines by total value and in this order are: Italy, France, Germany, Austria and Sweden.
The UK comes very low in the rankings and is nowhere near the top five at present. In fact, based on the ICO's annual report for 2019/2020, we see that when it comes to security breaches handled, 95% resulted in no further action being taken and only 0.03% actually resulted in a fine.
The ICO issued a couple of 'intention to fine' press statements back in July 2019 relating to the British Airways and Marriott security incidents. Neither has been issued yet. The proposed amounts £183,390,000 and £99,200,396 respectively would have shot the UK to the top of the leader-board for size of GDPR fines.
But since these figures were mooted, the circumstances of the travel and hospitality sectors have changed drastically as a consequence of the pandemic.
IAG (the owner of BA) indicated in its most recent half-yearly results reveals that BA has reserved 22 million euros for the data breach – a dramatic reduction of the originally anticipated fine. The changed fortunes of both BA and Marriott could result in dramatically lower fines from the ICO.
Which sector is top of the 'leader-board' for fines?
Particularly noticeable are the number of fines that DPAs across Europe have issued in the health sector – against healthcare providers.
The ICO's published data on enforcement action in 2020, the DCMS' Cyber Breach Survey 2020 results and the 2020 Ponemon survey findings on the cost of a breach all point towards the health sector being particularly vulnerable.
It is easy to see how smallish organisations in this sector, with limited resources to dedicate to security and training but with responsibility for sensitive health data, could be more vulnerable to a security breach and to DPA enforcement when it occurs.
To compound the issue, Ponemon also reports that the average cost of breach was, for the tenth year running, highest in the health sector (across the 524 organisations in 17 countries surveyed for their 2020 survey).
Have there been any fines for failing to notify breaches within GDPR required timescales?
There have been a number of fines from DPAs that mention the timing of notification.
Generally, however, either there was no notification at all or it was very late. A few days of delay does not appear to be a big issue for DPAs.
What are the common cyber security failings leading to fines?
Overall, DPAs are not interested in punishing organisations that tried diligently to keep up with the times and secure their systems.
Fieldfisher's privacy team regularly sees clients receive a 'no further action' result from DPAs when they have been able to demonstrate that they really did do what they reasonably could. After all, even with the deepest pockets, could any organisation really say their data is 100% secure?
What DPAs really get worked up about are failings that are often affordable and avoidable.
For example, setting and maintaining proper internal access controls, implementing two factor authentication to reduce the risk of malicious infiltration are affordable measures most companies can take, while holding on to data long past its expiry date and failing to carry out sufficiently detailed due diligence on providers that have access to personal data are failings that can reasonably be avoided.
Kirsten Whitfield is a director in Fieldfisher's leading privacy, security and information team. For more information on our expertise in this area, please visit the privacy pages on the Fieldfisher website.