The Office of the Data Protection Authority (ODPA) has published its latest breach statistics with 24 personal data breaches reported during September and October 2022. In one example, a company discovered a personal data breach while carrying out a routine threat analysis of computer systems. The data files found contained a confidential search term and were located on a publicly accessible cloud storage site. This case highlights the importance of carrying out regular internal security reviews. The company did the right thing in carrying out regular system checks and reported the breach once discovered.
In another example, an individual asked an organisation for personal information which was duly shared. Unfortunately, the information requested contained someone else’s personal data in an attachment which had not been redacted.
Although the organisation had tried to do the right thing, it committed a breach because it failed to ensure the information it had shared only concerned the individual requesting it.
In a third, unrelated incident, an employee emailed their manager regarding a number of personal and sensitive issues. This email was printed out and seen by third parties, causing significant distress.
The Bailiwick’s Data Protection Commissioner Emma Martins commented:
“The examples included in this update highlight the reality of the risks for all organisations. The threat we all face of cyber-attacks has probably never been greater, regardless of the size of our organisation or the sector we work in. The organisation in the case referenced here shows us how important it is to build proactive threat analysis into all business activities and the manner in which they dealt with this incident is to be commended. It is impossible to entirely eliminate the risk of attack but ensuring you do all you can to prevent it, as well as ensuring you are alerted early in the event of an attack is absolutely key to minimising impact and harm.
We also continue to see a high number of breaches which have been caused by human error. This is a vulnerability which we have spoken about before and, again, whilst it is something we can never eliminate completely, it is certainly something we all have the opportunity to learn from and improve. What may seem a small incident has the potential to significantly impact an individual or number of individuals and that must always be at the forefront of conversations around data governance and breach management.”
More information about how to handle a data breach can be found at:
odpa.gg/breach-response.
NOTES
Number of personal data breaches reported to the ODPA (Oct 2018 – present):
view statistics for every two-month period from October 2018 - present.
More information about
how to handle personal data breaches.
This release is part of the
bi-monthly breach report statistics the ODPA has been issuing since June 2018.
Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018.
The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.
Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.
However, organisations do
not have to report any incidents that meet the above criteria if the incident is ‘
unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.
‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.
&
Indulge