Twenty-eight personal data breaches have been reported to The Office of the Data Protection Commissioner (ODPC) in the last two months up to 13 December 2018. The number of breaches has increased slightly, when compared with the previous reporting period of 26 reported breaches over the two months up to 18 October.
The increase is likely due to two factors: firstly, organisations are increasingly more aware of their legal obligation to report breaches; and secondly, certain organisations have erred on the side of caution by reporting incidents that do not necessarily meet the breach classification criteria. The ODPC encourages all local organisations to continue with this cautious approach as this provides valuable intelligence to the real-world risks faced by local organisations. Most incidents reported to the ODPC were low-level with no further action required. However, the ODPC has a heavy caseload of ongoing investigations into breaches and complaints that do require significant further inquiry. As with the previous reporting period, there have been a number of incidents where hackers have gained control of email accounts using social engineering techniques. Guernsey’s Data Protection Commissioner, Emma Martins commented on the role of breach reporting and organisations’ duty to consider the people affected.
‘We continue to see local organisations engaging in their legal obligation to report data breaches to our office. This is an essential aspect of compliance as it requires organisations to proactively engage with the risks they face in protecting people’s personal information. It also ensures they robustly consider the impact a breach may have on the people whose data has been affected.’
The ODPC uses the breach report information received to shape activities, particularly its communications strategy and regulatory action plan. Understanding where organisations are vulnerable enables the ODPC to target its resources in the most effective way. The ODPC is working to improve its online breach reporting mechanism and has asked for any comments to be submitted via firstname.lastname@example.org.
Personal data breach: legal criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
There will likely be a breach whenever any personal data
is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. However, organisations do not
have to report any incidents that meet the above criteria if
the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident.
It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPC encourages all incidents to be reported. ‘Significant interests’ explained
A person’s ‘significant interests’ are defined in our local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.
Action points for organisations after a personal data breach:
Action ODPC take following a reported breach:
- Read: ODPC breach reporting guidance document(includes checklists and templates);
- Let ODPC know the breach has occurred – via the secure online breach reporting mechanism;
- Take steps to limit the damage. Where appropriate, advise any person who received data in error that they should delete the data and must not make use of or disclose the data to anyone else;
- Consider whether it may be necessary or appropriate to report the breach to any other regulatory or law enforcement agency;
- In some cases you will need to notify the person whose data was disclosed in the breach;
- Ensure your organisation reviews and learns from what has happened.
- They record the breach, securely and confidentially, and assess its severity;
- They contact the organisation to confirm receipt of the breach report and discuss what happens next (each report is assessed on a case by case basis);
- Where necessary the ODPC may need to communicate with other data protection authorities, if the breach is likely to affect people outside of the Bailiwick.