Mandatory Reporting: Statistics From the First Few Months, and the First GDPR Movement
Mandatory Reporting: Statistics From the First Few Months, and the First GDPR Movement
Thursday 20 September 2018 / by Tal Williams posted in Business, Corporate & Commercial Technology Law

There is a well-known cartoon drawn by John Klossner that depicts a boxing ring. In one corner, ready for the fight, is data security, with firewalls, encryption, antivirus software etc. and in the other corner is your employee – Dave – wearing a t-shirt saying “human error”.

The message is that all your systems are only as good as the people you have using them and how well you have trained them. Never has the above message been more true!

Readers will be aware that the mandatory data breach reporting requirements in Australia have been in operation since February this year. The Office of the Australian Information Commissioner has since produced two quarterly reports on the matters notified. Some interesting statistics emerge.

In the quarter ended 30 July 2018:

General

  1. There were 242 notifications
  2. 36% arose because of human error
  3. 5% were as a result of a fault in the IT system
  4. 21% of breaches reported affected one person only
  5. 89% of breaches involved release or access to contact information
  6. 42% of breaches involved release or access to financial information
  7. 25% of breaches involved release or access to health information

Human Error

When it comes to the human error component:

  1. 40 breaches occurred when data was simply emailed or otherwise sent to the wrong address
  2. 7 were emails in which the sender failed to use a BCC (resulting in the personal details of a third party being included in the address bar of the email)
  3. 14 arose from loss of paperwork, insecure disposal or loss of storage devices

Cyber Incidents

Of course, with only 36% arising from human error, a large proportion arose from a cyber incident. In that regard:

  1. 29% were from Phishing emails (which could, in my view, also be human error as such attempted access will mostly fail unless someone erroneously opens the offending email)
  2. 4% were ransomware
  3. 4% were malware
  4. 14% were brute force attacks
  5. 34% were accessed via stolen or compromised credentials (ie legitimate passwords and logins were disclosed, lost or stolen and used by a party to access data).

Industries

Many industries were effected. The top 5 being:

  1. Health Service Providers (49 notifications)
  2. Finance (36 notifications)
  3. Legal/Accounting and Management (20)
  4. Education (19)
  5. Business and Professional Associations (15)

It is interesting to note that human error in the health industry was much higher than in other areas (59%) and in financial (50%).

General Data Protection Regulation (GDPR)

Readers would also be aware that the European regulations also came into effect in May this year. Interesting developments to note include:

First Large Case Filed (26 May 2018)

The day after the law became effective, Max Schrems (an Austrian privacy campaigner) via his not for profit organisation NOYB (short for ‘None Of Your Business’) has filed three complaints worth a total €3.9bn against Facebook and its subsidiaries, WhatsApp and Instagram, via regulators in Austria, Belgium, and Germany. He has also filed another complaint worth €3.7bn in France, focused on Google’s Android mobile operating system. These matters are yet to be heard. The general basis of the applications revolves around the concept of “forced consent.”

First Decision (29 May 2018 - Germany)

In the first decision applying the General Data Protection Regulation (GDPR), a German court held that data collection that exceeds what is necessary to achieve legitimate business purposes violates one of the basic tenets of the GDPR as set out in Article 5. That Article states that personal data collection shall be

for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.

It must be:

“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

The case concerned ICANN, an American company that oversees the global WHOIS database (that stores domain names) and EPAG, a German domain registry. Under their contractual relationship EPAG was to provide ICANN with certain information about the people who purchased domain names. EPAG refused on the basis that there was no business or legal need to provide the personal details of technical and administrative contacts.

ICANN sued EPAG in Germany. ICANN failed. The Regional Court in Bonn found that the collection of such data would violate the data minimisation rule (Article 5) of the GDPR. ICANN appealed in August, but failed again.

 

Tal Williams 

If you have a privacy issue or want to put in place protections and safeguards, do not hesitate to give me a call.


Recent Posts