Europe Catches GDPR Breach Notification FeverPrivacy Law Is Fast Revealing the True Extent of Data Breaches Across UK and EU
Less than four months after GDPR enforcement began, Europe has arguably entered - if at times screaming and stumbling - into the modern data breach notification era.
In the U.K. last week, British Airways warned that it had been hacked and up to 380,000 customers' payment card details stolen (see RiskIQ: British Airways Breach Ties to Cybercrime Group).
That followed a number of other recently reported big breaches at such organizations as beauty retailer and pharmacy chain Superdrug Stores as well as Dixons Carphone, which owns such European brands as Carphone Warehouse, Currys, Dixons Travel and PC World. Another breach victim - across its European operations and beyond - was Ticketmaster.
Security experts say the increased breach awareness is thanks in no small part to the EU's General Data Protection Regulation, which EU privacy watchdogs began enforcing on May 25. Under GDPR, organizations must report many types of breaches involving Europeans' personal data to relevant authorities within 72 hours (see GDPR: UK Privacy Regulator Open to Self-Certification).
UK Data Breach Reports Quadruple
In July, the Information Commissioner's Office - the U.K.'s data protection authority and GDPR enforcer - said that the number of reports of data breaches that it was receiving had quadrupled after GDPR went into full effect. That doesn't necessarily mean that companies were being breached more often, but simply that they are now reporting such breaches more often (see Under GDPR, Data Breach Reports in UK Have Quadrupled).
"Since the GDPR was introduced in May, what we are seeing is an increase in the reporting of the breaches that are happening," Brian Honan, who heads Dublin-based cybersecurity firm BH Consulting, tells Information Security Media Group. "So there is not necessarily an increase in the number of breaches since May 25, but rather we now have better visibility on data breaches."
"If we are more aware of the root causes of breaches in other organizations, we can use that information to better secure our own systems."
Other European countries have also reported a sharp rise in data breach reports. Last month, the Data Protection Commission - Ireland's DPA - told ISMG that it had seen breach reports double following GDPR enforcement. And the Commission nationale de l'information et des libertés, which is France's DPA, told ISMG that from May 25 to July 31 of this year, it received 1,804 complaints, a 37 percent increase compared to the 1,132 complaints it received during the same time period in 2017 (see GDPR Effect: Data Protection Complaints Spike).
Breach Class-Action Lawsuits Arrive
The first mandatory consumer breach notification law traces to California's SB 1386, which went into effect on July 1, 2003.
But Europe's new privacy rules involve far more than just notification.
Notably, the British Airways breach has also led to the threat of a £500 million ($650 million) class-action lawsuit by SPG Law, the U.K. branch of U.S. law giant Sanders Phillips Grossman. Under GDPR, in addition to any direct losses suffered, for example, due to unreimbursed fraud, victims can seek "non-material damage" compensation. SPG Law says victims, whose payment card details would have been current at the time of the breach, should receive compensation for the "inconvenience, distress and misuse of their private information" caused by the breach (see British Airways Faces Class-Action Lawsuit Over Data Breach).
In the wake of other lawsuits that seek compensation for breaches, including one U.K. case involving supermarket chain Morrisons, the class-action threat against British Airways and any other firm that suffers a data breach appears to be very real, says Jonathan Armstrong, an attorney at London-based Cordery who specializes in technology and compliance.
"I do think that there is more chance of these actions succeeding under GDPR than under U.S law," Armstrong tells ISMG. "I think we have established here that you do not need to show financial loss, as you might in some of the U.S. litigation."
Under GDPR, not every breach must be reported to relevant authorities. When organizations do report, in the U.K., the ICO allows organizations to report via an online form or via a telephone helpline. In July, Laura Middleton, who heads up the ICO's personal data breach enforcement team, said that the telephone contact point would be best for organizations that might have never suffered a breach before and were not sure if it should be reported.
Fast-forward two months, and the ICO says that knowing whether to report a breach remains a big question.
"We have been receiving around 500 calls a week to our breach reporting line since [May 25], and roughly a third of these are from organizations who, after a discussion with our officers, decide that their breach doesn't meet our reporting threshold," James Dipple-Johnstone, the UK's deputy information commissioner, said in a speech on Wednesday at the CBI Cyber Security in London.
"Around one in five of reported breaches involve cyber incidents, of which nearly half are the result of phishing. Other than that, causes involve malware (10 percent), misconfiguration (8 percent) and ransomware (6 percent) amongst others," he said.
72-Hour Reporting Deadline
Dipple-Johnstone said organizations were also having difficulty with the 72-hour notification period required by GDPR. "Remember: it's not 72 working hours, the clock starts ticking from the moment you become aware of the breach," he said.
In July, the ICO's Middleton warned that "the 72 hours isn't just to email or phone us" with a heads-up about a breach, but rather to provide a report to the ICO including a number of details it specifies on its website.
Dipple-Johnstone said some organizations have failed to put the right people forward when making their breach report, leading to incomplete reports.
"Our guidance sets out very clearly what you should include when you report a breach. You might not have all that information in the first 72 hours - we get that. But please plan ahead; have people with suitable seniority and clearance to talk to us and be ready to provide as much detail as you can and be able to tell us when we can expect the rest," he said.
"It is not very helpful to be told there is a breach affecting lots of customers but the reporter isn't authorized by the general counsel to tell us more than that. If you don't assign adequate resources to managing the breach we may ask you why not."
'Breach Fatigue' Question
After notifying authorities, many organizations that have suffered a data breach will be instructed to notify victims, or else choose to do so on their own. Because consumers are already seeing a sharp rise in breach notifications, some have voiced concern that it could lead to "breach fatigue" and perhaps a sense of helplessness at their lack of power to control the fate of their data.
"There is an argument that we risk people suffering data breach notification fatigue," says Honan, who is also a cybersecurity adviser to Europol, the EU's law enforcement intelligence agency. "However, I would argue that people are better off knowing that their data is at risk so they can take appropriate action to protect themselves. We should also be aware that breach notifications serve to provide not just the individuals affected by the breach details of what happened but also should be used by other organizations to learn from. If we are more aware of the root causes of breaches in other organizations, we can use that information to better secure our own systems."
Beyond helping other organizations avoid being breached, notifications also serve a useful policy role, Honan says. "Notifications can also be useful for policy makers to better understand the security landscape and ensure the appropriate strategies, budgets and resources are allocated to the relevant public services to enhance cybersecurity overall."