The Office of the Data Protection Authority (ODPA) has changed the frequency it publishes breach statistics from bi-monthly to quarterly.
It is also now publishing two new criteria: the severity of the reported breaches and the total number of people affected.
This shift in focus to include the number affected reveals how relatively few incidents can impact a huge number of people.
Nearly 10 million people were reported to be affected by the 38 personal data breaches reported to the ODPA from 1 January – 31 March 2023.
The majority of those were customers of a UK-based company which was the victim of a large cyber-attack, involving the details of millions of their customers. Although the company is not based locally, it reported the breach to data protection regulators in all jurisdictions where its customers are based.
The ODPA is also now publishing breach severity, which organisations designate themselves when reporting an incident.
The Law requires organisations to report breaches where there is a risk to the ‘significant interests’* of any person whose data has been affected by the incident. When an organisation reports a breach it is asked to provide an indication as to how serious they consider the breach to be. The ODPA takes this into account when reviewing the report. The ODPA encourages breaches to be reported where the severity may not be immediately known or clear as this helps build a picture of the issues organisations face and feeds into communications and regulatory work.
The Bailiwick’s Data Protection Commissioner Emma Martins commented:
“We have always been clear that the reporting of breaches to us is more than a collection and publication of statistics. It is an invaluable tool we use to better understand the nature of the breaches experienced by our local regulated community.
That understanding then helps us to deliver relevant and meaningful support and education around the areas where there are vulnerabilities. We can all learn from things that have gone wrong and we must all do everything we can to minimise the likelihood of recurrences.
We must always remember that behind each statistic is a human being. Including the numbers of individuals affected in our breach report data encourages us to consider these issues from that perspective.”
The most striking examples of personal data breaches this year to date involve people using personal email accounts to send work-related information.
This is a problem for several reasons. Firstly, personal email providers are outside the control of the organisation meaning usual security policies do not apply and the organisation does not know what its data is being used for.
Secondly, access is likely to be less tightly controlled (accounts shared by couples or devices given to children), which means information could fall into the wrong hands.
Thirdly, as illustrated by recent events involving UK politicians, using personal messaging to conduct your work can blur where the boundaries of your personal life and your job are in a way that is not helpful for you or your workplace.
More information about how to handle a data breach can be found at: odpa.gg/breach-response.
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.
However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.
‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.