Data Breach Reports in Europe Under GDPR Exceed 59,000Netherlands, Germany and UK Have Logged the Most Data Breach Reports
Eight months after the EU's General Data Protection Regulation came into full effect, European data protection authorities have received more than 59,000 data breach reports, according to the law firm DLA Piper.
The firm analyzed data breach reports that have been filed by 23 of the 28 EU member states since GDPR came into full force on May 25, 2018.
GDPR Data Breach Notifications - to Jan. 28, 2019
Counting data breach reports is more difficult than it might seem.
At the end of January, for example, the European Commission reported that EU data protection regulators had collectively received 41,502 data breach notifications. But that was based on voluntary data contributions from only 21 EU member states. Some of the reported breaches also occurred entirely before GDPR came into effect, meaning old data protection laws apply.
"Based on our own research covering 23 of the 28 EU member states, together with figures for Norway, Iceland and Lichtenstein - the three additional European Economic Area member states - we calculate that there have been 59,430 reported data breaches over the same period across Europe," DLA Piper says. "The Netherlands, Germany and the United Kingdom came top of the table with the largest number of data breaches notified to supervisory authorities with approximately 15,400, 12,600 and 10,600 breaches notified respectively."
On the low end of the scale, Liechtenstein, Iceland and Cyprus each received less than three dozen breach reports.
Weighting the breach reports based on country population, DLA Piper found that the Netherlands logged the most data breach reports per capita, followed by Ireland and Denmark. "The United Kingdom, Germany and France rank tenth, eleventh and twenty-first respectively, while Greece, Italy and Romania have reported the fewest breaches per capita," it says.
Take those per capita rankings with a grain of salt, however, because under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of a "one-stop shop" mechanism. This enables organizations that have a presence across several EU member nations to be subject to regulatory oversight by just one supervisory authority, rather than being subject to regulation by the supervisory authorities of each nation in which they have a business presence. The supervisory authority in the nation of the organization's "main establishment" takes on the role of lead supervisory authority.
For example, many U.S. technology giants - including Facebook, Microsoft, Twitter, and soon Google - have their European headquarters in Ireland, and thus will report all data breaches to Ireland's DPA (see: Ireland's Privacy Watchdog Probes Facebook Data Breaches).
But DLA Piper says the per capita weightings also reveal some red flags, including potentially differing cultural norms around breach reporting. "In particular, Italy has so far had very few breach notifications relative to its large population, which illustrates that notification practice and culture varies significantly among member states," it says. "It is important to note that this report focuses on reported data breaches only."
Breach Count Increases
In December 2018, Information Security Media Group reported that the number of data breach reports filed since GDPR went into effect had hit about 3,500 in Ireland, over 4,600 in Germany, 6,000 in France and 8,000 in the U.K. (see: GDPR: EU Sees More Data Breach Reports, Privacy Complaints).
The latest EU data breach notification count does not necessarily mean that more breaches are occurring now than before GDPR went into effect, when few breaches had to be reported. As Dublin-based information security expert Brian Honan has told ISMG: "There is not necessarily an increase in the number of breaches since May 25, but rather we now have better visibility on data breaches."
In the U.S., the Identity Theft Resource Center found that in 2018, the overall number of data breaches reported by organizations to state regulators and affected consumers declined from 2017. Many breached organizations do not disclose exactly what types of data was exposed. But for the organizations that did so, the ITRC found that compared to 2017, breaches in 2018 exposed many more records containing data that state laws define as being sensitive, which includes payment card data, Social Security numbers, dates of birth and medical diagnoses (see: Fewer Breaches in 2018, But More Sensitive Data Spilled).
Notably, however, state laws don't treat email addresses, usernames or passwords as sensitive, meaning their exposure alone typically would not require an organization to issue a data breach notification (see: Data Breach Collection Contains 773 Million Unique Emails).
Do the Right Thing - Or Else
GDPR, however, is much more stringent, and any organization worldwide that violates the privacy regulation faces fines of up to 4 percent of their annual global revenue or €20 million ($22.7 million) - whichever is greater - as well as other potential sanctions, such as losing their ability to process personal data. Separately, organizations that fail to comply with GDPR's reporting requirements also face fines of up to €10 million ($11.3 million) or 2 percent of annual global revenue.
European privacy regulators say GDPR is not meant to be punitive. Do the right thing to remedy a problem and you won't be punished simply for failing, they say. Also, the 72-hour deadline for an organization to alert authorities in the case of some types of breaches isn't meant to serve as a "gotcha," but rather so that regulators can help.
On the other hand, however, the U.K.'s data protection authority, the Information Commissioner's Office, says that it wants to see specific details of what happened and the likely impact in the 72-hour window, rather than hearing that the breached organization is still struggling to muster a response (see: GDPR: UK Privacy Regulator Open to Self-Certification).
91 GDPR Fines and Counting
Already, EU regulators have been issuing GDPR fines. "So far 91 reported fines have been imposed under the new GDPR regime," DLA Piper says. "Not all of the fines imposed relate to personal data breach."
For example, the largest fine to date - €50 million ($57 million) against Google by France's CNIL data protection authority - did not relate to a data breach, but rather the processing of personal data without authorization (see: France Hits Google With $57 Million GDPR Fine).
Germany accounts for 64 of the GDPR fines that have been leveled so far, including the two largest fines to result from a data breach. Last November, the German Data Protection Authority in the state of Baden-Württemberg, known as the LfDI, fined German chat firm platform Knuddels.de - "Cuddles" - €20,000 ($22,700) for failing to hash stored passwords.
"By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data," LfDI said in its advisory notice.
The LfDI also notched the second-largest GDPR fine so far - a €80,000 ($91,000) penalty levied last month against an organization that published "health data on the internet," DLA Piper says.
"The remaining fines are relatively low in value, including a €4,800 ($5,500) fine issued in Austria for the operation of an unlawful CCTV system which was deemed excessive for its partial surveillance of a public sidewalk," DLA Piper says. "Cyprus also reported four fines, with a total value of €11,500 ($13,100), and Malta reported a total of 17 fines, a surprisingly large number given the relatively small size of the country. Details of these cases are currently not publicly available."
DLA Piper says that many data protection authorities have a big backlog of data breach reports, so many breached organizations are still waiting to hear if they will face fines (see: Life Under GDPR: Data Breach Cost Unknown).
Many organizations are continuing to try to come to grips with GDPR, and regulators are continuing to issue new guidance, based on what some organizations have done wrong. So far, it's not yet clear if organizations can take out cyber insurance to help mitigate their risk of having to pay non-criminal GDPR fines in the event of a data breach (see: How Cyber Insurance Is Changing in the GDPR Era).
"It is still very early days for GDPR enforcement, with only a handful of fines reported across the EU. With the exception of the recent €50 million fine imposed on Google, so far the level of fines have been low, certainly when compared to the maximum fines regulators now have the power to impose," DLA Piper says in its report. "However, we anticipate that 2019 will see more fines for tens and potentially even hundreds of millions of euros as regulators deal with the backlog of GDPR data breach notifications."
Business Upsides to Compliance
The impetus for GDPR remains to safeguard Europeans' privacy rights. And not all organizations that handle Europeans' personal data fully comply with GDPR.
Complying with GDPR isn't a silver bullet for avoiding all breaches, but it can help. Indeed, organizations that comply with GDPR report multiple upsides, according to a recent study conducted by Cisco, which queried 3,200 information security professionals in 18 countries about their GDPR and overall security posture.
"GDPR-ready organizations have ... experienced fewer data breaches, and when breaches have occurred, fewer records were impacted, and system downtime was shorter," Cisco said (see: Cisco Studies Global Impact of GDPR).