The number of reports of data security incidents received by the Information Commissioner (“ICO”) has increased by 75 per cent over the past two years, according to new analysis1 by Kroll, a global leader in risk mitigation and investigative services.
The findings, obtained from a request made under the Freedom of Information Act and analysis of publicly available ICO data, reveal details of data breaches which have compromised a broad range of individuals’ personal data, including health or clinical information, financial details, employment details and criminal records or endorsements.
Kroll says the increase in reports indicates that organisations have been gearing up for a new era of transparency around data breaches under the General Data Protection Regulation (“GDPR”), which came into force in May. Kroll expects both the number of reports and value of fines issued to increase significantly under the new regulation, creating much greater regulatory and reputational risks for businesses.
Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice, explained: “Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK. The recent rise in the number of reports is probably due to organisations’ gearing up for the GDPR as much as an increase in incidents. Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organisations to report certain types of personal data breach.
“We would also expect to see an increase in the value of penalties issued as the maximum possible fine has risen from £500,000 to €20 million or 4 per cent of annual turnover, whichever is higher. The ultimate impact is that businesses face not only a much greater financial risk around personal data, but also a heightened reputational risk.”
Human error risk versus hacker risk
Kroll’s analysis reveals that the data breach risks posed by human error are at least as great as those from cyber attacks. In the past year, of the incidents where the type of breach is specified, 2,124 reports could be attributed to human error, compared to just 292 that were deliberate cyber incidents2.
The most common types of incidents due to human error include data being emailed to the incorrect recipient (447 incidents), loss or theft of paperwork (438) and data left in an insecure location (164). The loss or theft of unencrypted devices (133) is another common reason for data breach reports.
Of the deliberate cyber incidents reported, specific circumstances logged include unauthorised access (102), malware (53), phishing attacks (51) and ransomware (33).
Andrew Beckett noted: “Effective cyber security is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks. The majority of data breaches, and even many cyber attacks, could be prevented by human vigilance or the implementation of relatively simple security procedures.”
Sectors submitting the most data breach reports3
The health sector is responsible for the highest number of reported data security incidents over the past financial year (1,214), a 41 per cent increase over two years. This is followed by general business (362), education and childcare (354) and local government (328).
Kroll says the health sector is top of the list partially due to mandatory reporting requirements that only applied to certain sectors pre-GDPR, but under the new regulation the firm expects to see a much broader spread of business sectors reporting incidents.
The analysis4 reveals that health or clinical data is the most common type of personal data compromised, specified in 39 per cent of reports over a three-year period. This is likely to be due to the high percentage of reports originating from the health sector. Other kinds of personal data compromised include financial details (10%), social care data (7%), employment details (5%), criminal records or endorsements (4%) and education records (3%).
Andrew Beckett said: “Following the introduction of the GDPR, the business case for investing in cyber defence has never been stronger. Our analysis of incidents reported to the ICO in the UK shows that people are still the critical factor, and investment in training staff, either to follow correct procedures or to spot phishing attacks before they click on the link/email, offers the best return for helping to prevent data losses. The increased scope for mandatory reporting of breaches under the GDPR may significantly alter these trends and results, and Kroll will continue to monitor and analyse breach data. What won’t change is the increasing number of breaches/data loss events and the need for companies to have an effective, tested plan for how they deal with these situations, including the need for having specialist partners identified for forensic incident response, specialist legal counsel, crisis communications and breach notification.”
Earlier this year, Kroll launched its Data Protection Officer (“DPO”) Advisory Services in partnership with leading data privacy law firms. The service is an expansion of Kroll’s existing cyber security and incident response offering and supports privacy and security departments in becoming and staying compliant with GDPR requirements, in particular Article 37 of the GDPR, which calls for certain organisations to appoint a DPO.