The Office of the Data Protection Authority (ODPA) has published its latest breach statistics with 26
personal data breaches reported during March and April 2022.
Of these, 11 breaches occurred via email, which is an ongoing trend and remains the most common type of breach reported.
The chart below helps illustrate the complexity of circumstances surrounding the incidents where personal data is compromised:
One of the more unusual breaches reported related to confidential and sensitive information being discussed in a telephone conversation and overheard by a third party. The incident caused significant distress and could have had far reaching consequences for the person who was being discussed.
This example is particularly relevant because people are often working from home so it serves as a timely reminder to us all that safeguards need to be in place to ensure confidentiality of personal data whatever the setting.
Another interesting reported incident involved a warehouse burglary in the UK. The products stolen contained personal information that indicated the clients’ lifestyle and could be classed as ‘special category data’ (information relating to things such as a person’s racial or ethnic origin, political opinion, religious belief, and health data, amongst others). Special category data is given a higher degree of protection because significant harm can be caused if it is mishandled or compromised.
Template documents can also be a weak spot. Two of the reported breaches in this period involved completed templates which had been saved in error, overwriting the original template. The filled-out templates contained confidential personal information which were then made available to other people. One of these breaches occurred via an office intranet and the other was sent outside the organisation.
The Bailiwick’s Data Protection Commissioner Emma Martins explains why data breach reporting is so important:
“Understanding and responding effectively to personal data breaches is a fundamental part of data governance for all organisations but the current heightened risks, especially around cyber-attacks, means that we must be extra vigilant. The challenges we face, regardless of size or nature of organisation, are shared and encouraging an informed and open conversation across the community is so important. The more we engage, the more likely we are to take meaningful steps to reduce risk and learn from the past. Data breach management does not exist in isolation, it must exist within a framework of compliance across the whole organisation and involving every member of staff.”
On 1 January 2022, the ODPA introduced an improvement to its breach reporting system so that any organisations reporting a breach can now specify both how it happened (i.e. the circumstances that led to the breach occurring) and what the outcome was (e.g. accidental disclosure of personal data).
This change addresses the complexity of circumstances surrounding incidents where personal data is compromised and allows the person reporting the breach to provide greater clarity as to the reasons why a breach occurred and the impact of the breach.
The ODPA will continue publishing anonymised statistics of the breach reports it receives from the regulated community, every two months, so that everyone can apply any lessons learned.
More information about the changes are covered in the ODPA’s latest podcast ‘Data Breaches - more than just a number’
which can be accessed via odpa.gg/podcasts
Number of personal data breaches reported to the ODPA (Oct 2018 – present): view statistics for every two-month period from October 2018 - present
More information about how to handle personal data breaches
This release is part of the bi-monthly breach report statistics
the ODPA has been issuing since June 2018. Statutory breach reporting
was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017
(section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.
However, organisations do not
have to report any incidents that meet the above criteria if the incident is ‘unlikely
’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.
‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.
Number of breaches reported (1 March – 30 April 2022):
* There was a total of 26 separate breach incidents
reported, but because we changed how we categorise breach incidents in January 2022
the above table points to a total of 28 underlying causes
. This discrepancy is because two of the breach reports gave 2 causes
, the other 24 gave only 1. Incidents like these are exactly why we changed the way breaches are categorised: to reveal the complex circumstances that can lead to a breach of someone’s data occurring.