Written by: Fabienne Ruttledge
Over a year on since the implementation of the EU General Data Protection Regulation (GDPR), it is becoming evident that data breaches are a trend set to continue. GDPR is the current framework of data protection, which was previously regulated under the Data Protection Act 1998. The GDPR was considered a necessary response to rapid changes in technology which have significantly changed the way in which organisations collect information about people. The regulation applies to all ‘personal data’, which means any information regarding an identifiable person.
GDPR made some key changes, such as extending territorial scope and introducing harsher penalties for organisations. Perhaps more important however, are the rights that GDPR introduced for data subjects (ordinary people who share their data). These rights include the breach notification, whereby individuals must be notified that their data has been leaked within 72 hours of the organisation first having become aware of the breach. Furthermore, data subjects have the right to access any information that an organisation has regarding them. Data subjects can now even request organisations to erase their personal data if they wish.
Data breaches: explaining the trend
A data breach refers to the unauthorised release or misuse of private information, which may have been intentional or unintentional. The Information Commissioners Office (ICO) reported a 75 per cent increase in data breaches in the last two years alone (1). Although the quantity of data breach incidents is rising, this increase is partly attributable to the growing transparency that the GDPR has brought. In other words, all organisations are now required to report data breaches under GDPR, which was not mandatory prior to its implementation. The surge was therefore anticipated as organisations worked hard to comply with the new framework.
Growing threats with regards to our data
Despite the new framework, Verizon’s 2018 Data Breach Investigations Report (DBIR)(2) indicates that there are four growing threats with regards to our data. These include cyber-attacks (such as hacking and malware), lack of consent, insiders and errors.
The DBIR reported hacking as the leading form of action taken to leak data. Hacking refers to the unauthorised entry into a computer or a network. Malware is the second most prevalent form of action, with software such as Ransomware being deployed by cybercriminals. Many are left questioning the motives behind such cyber-attacks. According to the DBIR, 76 per cent of data breaches are financially motivated. Cybercriminals may steal payment card data, intellectual property, or more general personal information, which can subsequently be sold on the dark web. Other motives listed by the DBIR include espionage, ideology, convenience, grudge, and mere ‘fun’. Where data breaches occur as a result of cyber-attacks, it is virtually impossible to catch the culprits as they are often in awkward jurisdictions. Given that 73 per cent of cyber-attacks were perpetrated by outsiders in 2018, very few offenders faced punishment.
Lack of consent or transparency can also amount to a data breach (i.e. where businesses use or transfer personal data without the individual’s consent). The GDPR now requires that businesses provide data subjects with a sufficient level of detail in the transparency information. However, from a business perspective, insiders are the largest threat with regards to our data. For example, in a case concerning Morrisons supermarket, salary details of Morrisons employees were released by an employee. Although the perpetrator was imprisoned, Morrisons were held to be vicariously liable for the data breach. Although inside jobs are much more likely to be caught, it is often difficult to identify when someone is using their legitimate access to your data for illegitimate purposes. Other threat actions include human error (i.e. sending an email to the wrong person). Such errors made up 17 per cent of data breaches in 2018.
Publicised data breaches in 2018-19
Despite efforts to comply with GDPR, many companies were still hit by hefty fines following data leaks in the past year.
The biggest data breach of 2018 was that of hotel group Marriott International, whereby 500 million customer records were accessed and potentially copied. It was revealed that the attackers had unauthorised access since 2014. Despite the Marriott group being headquartered in the US, it is nonetheless required to comply with GDPR when dealing with EU citizens. GDPR allows for fines of up to 4% of annual turnover, meaning that Marriott could have faced a fine of £117m. This is a significant increase on the maximum fine of £500,000 under the previous data protection regime. In June 2019, the ICO proposed a £99.2m fine for Marriott. It has been suggested that the maximum fine was not imposed as the hotel group were quick to disclose the breach, notify customers and offer compensation to victims. Nonetheless, Marriott have since stated that they would appeal against the fine.
In January 2019,Google was found to be in breach of GDPR for ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation’.(3) Almost immediately after the GDPR took effect, two French advocacy groups filed complaints. The groups argued that Google was prohibited from processing user data for ad personalisation under the GDPR. Google had not sought specific consent for ad personalisation, but rather required users’ consent in full for all processing operations purposes. This approach is too broad, as the GDPR requires consent to be given distinctly for each purpose. When creating an account, the option to personalise ads was also ‘pre-ticked’, which further breached rules under GDPR. Accordingly, France’s data watchdog CNIL used its powers under GDPR to impose a fine of 50 million euros (£44m). Whilst this incident did not arise from a cyber-attack, it demonstrates the ways in which businesses have been illegitimately using our data without user consent.
British Airways have suffered the biggest fine yet levied under the GDPR. The airline, owned by IAG, suffered a cyber-attack in June 2018. Cyber-criminals stole payment card details from 500,000 passengers by diverting them to a fraudulent site. Consequently, the ICO imposed a record fine of £183m (1.5 per cent of BA’s turnover) for the breach last year. Although BA claim it responded quickly to the data theft, the fine will act as a warning to companies that they must focus on prevention as opposed to cure.
Impact of data breaches on businesses
Whilst data breaches can hurt both businesses and consumers, businesses tend to bear the burden of significant financial, practical and reputational costs.
When a company is hit by a cyber-attack or is known to have misused their customers data, customers may seek compensation. In Google v Vidal-Hall, a case concerning internet browsing history, the court held that customers can recover where they are merely ‘upset’ about a data breach. Therefore, there is no need for actual loss suffered in order to make a claim for compensation. Furthermore, customers may move to competitors due to broken trust, resulting in the loss of repeat business for the business. Finally, where a data leak is publicised regarding a publicly listed company, the company’s stock price is likely to plummet.
In addition to this, data breaches are likely to have practical costs for businesses. If there were deadlines or targets in place, the company may no longer be able to meet them. Finally, and perhaps most importantly, data breaches have a reputational cost for businesses. Such incidents have the capacity to damage customer trust and public perception.
Effectiveness of GDPR
To conclude, the GDPR has been somewhat successful in regulating the use of data across the EU. In the first nine months of its implementation, over 144,000 complaints have been made from individuals and 89,000 breach notifications had been delivered(4). GDPR has been most successful with regards to breach notification law, as more data breaches are being reported than ever before since its implementation. Whilst some companies have faced much larger fines than would’ve been imposed under the old regime, many believe that GDPR has not done enough with regards to sanctioning corporations. The vast majority of businesses are still escaping fines, despite an evident failure to protect their customers data. The GDPR’s overall effectiveness and credibility in dealing with data breaches thus depends on its enforcement over the next few years.