Recently enforced data breach notification regimes are being tested, with the number of reported breaches rising in the EU and Australia.
Breach notifications and complaints, under the General Data Protection Regulation (GDPR), have risen sharply in a number of European countries, according to media reports. In France, the number of data protection complaints under the GDPR has increased 50%, while at a European level there are 29 cross-border cases under investigation, reported Politico. Coincidently, the French regulator recently fined a French optics firm €250,000 for failing to protect 334,000 customers’ data – the biggest fine ever dealt to a French company.
The UK’s Information Commissioner’s Office (ICO) also confirmed that it has experienced a rise in personal data breach reports under GDPR, while data protection complaints increased as people become more aware of their individual rights. The ICO said it will publish notification and complaints statistics in due course.
Similarly, the data protection regulator in Austria said there have been 59 breach notifications since GDPR came into force on 25th May, around the same number reported in the previous eight months. The Austrian regulator also said it had received 128 complaints and almost 500 questions filed under GDPR.
A similar trend emerged in Australia, which introduced a mandatory breach notification regime in February. The Australian Information Commissioner (OAIC) reported receiving 114 breaches in just the first six months, compared with 63 for the entire year of 2017 under the country’s voluntary reporting regime.
With breach notification requirements now in force in the EU and Australia, the first large data breaches are beginning to test the new regimes. In June, electronics retailer Dixons Carphone said that a cyber-attack had compromised data on 5.9 million payment cards and 1.2 million non-financial personal records. The breach is thought to be the most significant test of the EU’s GDPR since its implementation on 25th May.
The data breach was uncovered during a review of systems and data by Dixons, which triggered an investigation and the appointment of cyber security experts. The company said it has informed the individuals whose non-financial personal data was accessed and will advise them on any protective steps they should take. Dixons also reported the data breach to the Information Commissioner’s Office (ICO), although the National Cyber Security Centre and the Financial Conduct Authority are also involved.
GDPR brings in new rights for consumers, adding additional requirements for organizations that hold or process personal data and greater powers for regulators. Under the regime, organizations have just 72 hours to notify the regulator and individuals of a data breach, or risk a hefty fine. Penalties under GDPR are up to GBP 10 million or 2% of annual global turnover, or as much as GBP 20 million or 4% of annual global turnover for the most severe breaches and/or repeat offences.
QUESTION OF TIMING
Because the Dixons cyber attack took place in July 2017, the ICO will have to determine whether the breach is covered by GDPR, or if it will be investigated under the previous Data Protection Act. The ICO said it will look at when the incident happened and when it was discovered as part of its investigation, and “this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
Under the previous data protection rules, the maximum fine would be GBP 500,000. However, under the new EU regulations, the maximum fine would be around GBP 400 million (based on Dixons’ 2017 revenue of GBP 10.5 billion), a significant step up from the last fine the company faced for a data breach. In January, Dixons’ subsidiary, Carphone Warehouse, was fined GBP 400,000 following a cyber attack that compromised the personal data of 18,000 customers in 2015, one of the largest penalties dished out by the ICO to date.
Specialist cyber insurer Beazley said, “it will be interesting to see how the ICO reacts to the Dixons data breach.” It notes that the ICO has previously fined organizations that have demonstrated serious failings, with respect to breaches in the past - Yahoo was fined GBP 250,000 over a breach involving 500,000 UK customers and TalkTalk was hit with a GBP 400,000 fine after 150,000 customers’ details were accessed.
Dixons is not the only company to report a data breach since the enforcement of GDPR. Australian online recruitment company PageUp also notified the ICO of its recent data breach, which affected personal data of UK employees, as well as those of customers in Australia. Interestingly, the company was required to notify regulators in both the UK and Australia, after investigations into suspicious activity on its network revealed that personal data on its employees and job applicants had been accessed by an unauthorized third party.
PageUp is the first known example of a data breach that falls under both GDPR and Australia’s Notifiable Data Breaches (NDB) scheme, which came into effect in February. Similar to GDPR, the NDB scheme requires organizations to notify the Office of the Australian Information Commissioner (OAIC) and the individuals affected by a breach of personal data. PageUp said that it is in contact with its corporate clients to facilitate notification to individuals.
In more litigious societies like Australia, data breach notifications raise the prospect of regulatory investigations and potentially civil litigation. For example, law firm Centennial Lawyers said it is looking into a possible class action lawsuit against PageUp following its breach. The firm has already launched a class action lawsuit against the New South Wales Ambulance Service in the Supreme Court of NSW after it compromised sensitive employee information.
For more information on cyber insurance, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.