It is now 21 months since the GDPR came into force. For the period 25/05/18 to 27/01/20, authorities within the EEA were notified of 160,921 personal data breaches. DLA Piper’s research also reveals that the UK ranks 3rd in the European league table of breaches with 22,181. France does considerably better, ranking 9th with only 3,459 reports. The UK has roughly the same economic output ($2.8 trillion) as France but over six times the volume of data breaches! This is perplexing and obviously a concern.
There are many possible explanations. Could it be that UK organisations are more likely to report breaches than their French counterparts? Or is it because the UK’s economy is more service orientated? Perhaps hackers perceive Britain as an easy target, with low hanging fruit? What is clear, is that data protection regulations are becoming more stringent and organisations need to up their game by investing more to keep their data secure.
Fines levied by data protection supervisory authorities across the EEA have been relatively low and infrequent thus far. This is most likely due to authorities staffing up their enforcement teams and getting to grips with the new regime. It would be foolhardy however to assume that financial penalties will remain at a similar level over the coming months. Indeed, the ICO has already started to bare its teeth. Last year they announced their intention to fine British Airways £183.39m. A day later, Marriott International received a proposed £99.2m fine for GDPR infringements. The French data regulator CNIL also decided to get serious by fining Google £44m for breaching the rules. Although significant, these penalties fall well short of the maximum fine possible under the GDPR (4% of annual global turnover).
How are GDPR fines applied?
It’s still early days, how fines should be calculated remains an open legal question. When deciding whether to impose a fine and to what level, authorities must consider a range of factors which are set out in Article 83:
• The nature, severity and duration of the GDPR infringement.
• Whether the infringement was caused intentionally or by negligence.
• Any action taken by the organisation to mitigate the damage suffered by individuals.
• Technical and organisational measures that have been implemented by the organisation.
• Any previous infringements by the organisation.
• The degree of cooperation with the regulator to remedy the infringement.
• The types of personal data involved.
• How the regulator found out about the infringement, and the extent of any notification by the controller or processor.
• Adherence to approved codes of conduct or certification schemes.
By focusing efforts on reducing the impact of a data breach security professionals demonstrate a clear attempt at mitigating the damage suffered by individuals. For example, when considering financial penalties, the ICO are likely to look more favourably on an organisation which detected a breach by means of internal technological / organisational measures. Generally, organisations are getting better at detecting data breaches but according to last year’s M-Trends report, only 59% of compromises were internally detected (FireEye).
The metrics most likely to predict the severity of any security breach are meantime time to detect (MTTD) and meantime to respond (MTTR). Obviously, the less time a threat actor is left snooping around systems unchallenged the better. Recent research published by IBM found that on average it takes 206 days for companies to discover a data breach and another 73 to fix it. It’s no longer a case of if your systems will be compromised but when. At CyberHive, we believe that efforts should focus on detecting breaches as quickly as possible in order to mitigate the damage.
Trusted Cloud uses distributed whitelisting technology to identify and locate system breaches in seconds. We help organisations to significantly reduce their MTTD and MTTR by detecting all unauthorised server activity be it from external attackers or insiders. A change to a single line of code will be flagged within 30 seconds for investigation. Trusted Cloud protects one of your organisation’s most vital assets – it’s data. It also enables stakeholder and compliance reporting.
In addition to financial penalties, organisations also face the reputational damage and remediation costs from data breaches. There is also the possibility of legal action from US style group litigation claims. Lower your cyber insurance premium and the risk of an ICO fine under the GDPR by deploying Trusted Cloud server security.
+44(0) 1635 881 880 | [email protected]
Almost every day we hear about new ways cyber criminals are exploiting the COVID-19 crisis. Phishing scams, social engineering tactics, fraudulent websites and ransomware are constantly evolving an...Find out more
Given how much valuable and commercially sensitive information they hold, law firms are prime targets for cyber criminals. DLA Piper was hit by the highly destructive NotPetya malware in 2017, this...Find out more
IT decision makers at financial institutions were quick to see the advantages of moving to cloud-based platforms; the ability to provide unique types of services, to become agile and to lower opera...Find out more
Please fill in the details below to get a 2 week demo of
CyberHive's cloud platform technology