Let’s Explore Data Breaches!
According to EU regulations, a personal data breach can be defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’
Here, we unpick what a data breach means in practical terms, including how they happen and how to prevent them.
WHAT EXACTLY IS A DATA BREACH?
A data breach is when confidential, sensitive or protected information is shared and/or viewed without permission. This information has been collected by a business or organisation, and may relate to their employees, clients, customers, patients, users and any other individuals they interact with. Businesses and organisations are legally entitled to do this, and may record a wide variety of personal data, such as people’s bank details, biometrics, passport numbers, political beliefs and sexuality.
However, businesses and organisations have a legal obligation to protect this data. After all, it contains highly confidential details that any ordinary person would want to be kept secret. That is why all businesses and organisations that process personal data must comply to the General Data Protection Regulations (GDPR). The rules, which came into effect on 25 May 2018, apply to all businesses that handle an EU citizen’s data – regardless of whether that business is based in the EU, and regardless of its size.
Unfortunately, businesses and organisations do not always manage to protect personal data adequately. The result is that a subject’s data is shared, viewed or accessed by someone it shouldn’t be. This represents a breach of that person’s data protection rights. Consequently, that individual may be the subject of nuisance sales calls, identity theft and fraud. He or she may also suffer reputational damage, public humiliation and an overall sense of violation.
EXAMPLES OF DATA BREACHES INCLUDE:
• Loss or theft of data, including due to fire or accidental erasure where no back-up exists
• Disclosing confidential data to unauthorised individuals
• Hacking, viruses and other security attacks
• Sensitive information being left unlocked in accessible areas
• Staff selling data to a third party
Why do data breaches happen?
Given that businesses and organisations have a duty to protect personal data, you might wonder exactly why data breaches happen. There are various ways in which a data breach might occur.
ACCIDENTS & HUMAN ERROR
Sometimes, data breaches happen accidentally, with human error typically to blame. It could be that an employee uses their colleague’s computer and accesses data without the correct authorisation. Or, it could be that an employee mistakenly shares sensitive data, be it through an email, letter or social media. This happens with alarming frequency, with research conducted in 2018 by Clearswift showing that 45% of employees have mistakenly shared emails containing key data with unintended recipients. This included personal information, bank details and other confidential text. It could also be that files are shared via an unsecured network, making them vulnerable to abuse from malicious outsiders.
Alternatively, the data breach may happen from within a business or organisation – but it might not be an accident. There have been occasions when an employee has deliberately shared personal data with the intention of harming a company or an individual. After analysing an 18-month period, the 2019 Global Data Exposure Report found that over half of data breaches were an ‘inside job’. Experts have suggested that disgruntled or departing employees are often the source, as they wish to damage the business following the termination of their employment.
Things go missing all the time, having either been lost or stolen. But what if this item is laptop or hard drive that contains sensitive information? This is exactly what happened in 2018 when an encrypted laptop was stolen outside an office building. The data of 37,000 Eir customers – Ireland’s largest telecom provider – were hit by the data breach. Although Eir insists no financial data was exposed, the device did contain details of customers’ names, numbers, email addresses and Eir account numbers.
This is probably what most people think of when they hear about a data breach. As the above examples show, data breaches aren’t always the brainchild of hackers and criminals. Yet there’s no doubt that personal data is often targeted by people outside the business or company. Tactics include phishing scams, where hackers pose as legitimate brands in order to persuade you to hand over sensitive information. They may access your passwords or abuse security flaws to access your personal data without detection. Such breaches are almost always for malicious reasons and so typically lead to the most troubling outcomes, including fraud and identity theft.
REAL-LIFE EXAMPLES OF DATA BREACHES:
Data breaches affect companies of all shapes and size, including large household names. Twitter, for example, recently made headline news when Ireland’s Data Protection Commission (DPC) issued the company with a fine of €450,000. The incident relates to a bug that remained undetected from 2014 to 2019. During this time, the ‘protect your tweet’ setting was not working as it should have done for Android users, meaning their tweets may have been public rather than private. This amounted to a GDPR violation, which Twitter then failed to promptly report and properly document – resulting in a hefty fine from the DPC.
You may also have read about the British Airways hack which affected 400,000 customers. Criminals were able to infiltrate BA’s systems and redirect customers to a malicious domain. This recorded customers’ information as it was input into the site. This included their names, addresses, log ins and bank details. This was a major breach of data protection laws, which could have been prevented, had more secure systems been put in place. BA also failed to detect the breach until significant damage had been done. The company was subsequently issued with a £20 million fine. Thanks to the effects of Covid-19, this is considerably smaller than the £183 million fine that was originally intended by the Information Commissioners Office (ICO).
DATA BREACH VS CYBER ATTACK
Reading the above examples, you might wonder if a data breach is the same thing as a cyber attack. The two terms are closely linked. However, a cyber attack is generally the cause, whereas a data breach is the outcome. Take the incident involving British Airways, for instance. That was a targeted and malicious cyber attack conducted by a criminal organisation. The result was that hundreds of thousands of customers unwittingly revealed confidential personal data to the wrong people. British Airways could not have prevented this cyber attack – they have no agency over the actions of criminals. Those wanting to hack the company’s system were always going to try. But what British Airways could have done was to implement better cyber security, thereby ensuring that a data breach did not occur.
Furthermore, a data breach can occur without a cyber attack taking place. A cyber attack is an intentional act designed to cause some kind of damage, as happens with a malware attack. But as outlined above, a data breach can happen without the involvement of malicious outsiders. It may occur because of an accident, a lost or stolen device, or an internal leak.
HOW CAN A DATA BREACH BE PREVENTED?
So how exactly do you prevent a data breach? It all comes down to security. These measures must be end-to-end, meaning they incorporate every single aspect of the company and every single person who interacts with the system. It’s no good having the best anti-malware protection in place, only for an employee to send confidential customer data to their personal email account.
Practices that can improve security and prevent a data breach include:
• Implementing security software and updating it regularly
• Using high-end encryption tools for sensitive data
• Enforcing multi-factor authentication systems
• Educating employees and third parties on best practices
• Monitoring systems to identify potential flaws or attacks
• Updating systems and practices in response to identified risks
If you’re uncertain as to how to become fully GDPR compliant, you can always ask a professional for help. Our accredited GDPR data protection solicitors can ensure your business or organisation meets the regulations, giving you peace of mind that you won’t fall foul of the rules.
WHERE DO I REPORT A DATA BREACH?
If a business or organisation suffers a data breach, and this poses a risk to an individual’s rights and freedoms, then GDPR rules state that it must be reported to the relevant supervisory authority. This must be done within 72 hours of discovering the breach. In Ireland, data breaches must be reported to the Data Protection Commission (DPC).
Remember, the GDPR regulations apply to all businesses who process personal data, including those who employ less than 250 staff. The regulations also apply to all businesses that handle an EU citizen’s data, even if that business is not physically located in the European Union.
A failure to report a data breach within 72 hours can increase the penalty that is imposed.
FINES FOR DATA BREACHES
Businesses and organisations who fail to comply with GDPR face a range of available penalties. Serious infringements could result in a maximum fine of €20 million, or 4% of the company’s global turnover for the last 12 months – whichever is greater. For less serious infractions, the maximum fine is €10 million, or 2% of the company’s global turnover for the last 12 months – whichever is greater.
This does not necessarily mean that the maximum fine will be imposed. In Ireland, the DPC will calculate a fine according to the following factors:
• The type of infringement, how severe it was and how long it lasted
• Whether it was deliberate or accidental
• The action taken to reduce the damage
• The organisation’s security measures
• Whether this is a first or subsequent GDPR infringement
• The level of cooperation
• The types of personal data involved
• Delays in reporting
• Compliance with approved codes of conduct or certification schemes
Authorities also have a range of other penalties at their disposal. They have the power to:
• Issue warnings and reprimands
• Impose temporary or permanent bans on data processing
• Order the rectification, restriction or erasure of data
• Suspend data transfer to third countries
Furthermore, anyone who has had their privacy rights breached is entitled to pursue a claim for compensation, even if non-material damages have been incurred.
DATA PROTECTION SOLICITORS
Figures show that 6,700 data breaches were reported to Ireland’s Data Protection Commission in 2019. Only the Netherlands had more data breaches per capita in the European Economic Union.
To avoid becoming one of the thousands who are penalised every year for GDPR non-compliance, we recommend that you contact our solicitors. We have a team of accredited GDPR solicitors who can create a data protection action plan tailored to you and your organisation. By implementing a range of policies, processes and procedures, we can help keep your company compliant. Contact us now to find out more about how we can help you.