Data Protection Commissioner releases 2016 report
The Office of the Data Protection Commissioner (DPC) received 2,224 data breach notifications in 2016, a figure which was down slightly from the previous year (2,317),
In its 2016 report, the DPC said that it had investigated 1,479 complaints, more than half of which (56%) pertained to access requests.
The report says the office carried out more than 50 audits and inspections, with 9 prosecutions for electronic marketing offences.
The breakdown of data breaches showed that unauthorised disclosures were by far the largest proportion of breaches, with 1,117 under the ‘other’ category, followed by postal (570) and electronic (376).
“The total number of breach notifications was 2,301, but 77 were deemed to be non-breaches under the provisions of the DPC Personal Data Security Breach Code of Practice”
Web site security accounted for 103 breaches, while the theft of IT equipment was behind 14 breaches.
Interestingly, the total number of breach notifications was 2,301, but 77 were deemed to be non-breaches under the provisions of the DPC Personal Data Security Breach Code of Practice.
While this suggests a growing acceptance of the need to disclose breaches, the report reminds certain parties of their obligations under the regulations.
“Telecommunications and internet service providers have a legal obligation under SI 336 of 2011 to notify the DPC of a data-security breach no later than 24 hours after initial discovery of the breach,” says the report.
“If the provider is unable to provide full details on the breach at this time, further details should be provided within three days of the initial notification. Any telecommunications company that fails to notify the DPC of a data-security breach may be liable on summary conviction to a class-A fine or, on indictment, to a fine not exceeding €250,000.”
In 2016, the report says a total of 142 valid data breach notifications were received from the telecommunications sector. This accounted for just over 6.3% of total cases reported for the year, representing an increase from the 104 notifications reported in 2015.
All other data-security breaches are reported, says the DPC, are done so under a voluntary Personal Data Security Breach Code of Practice, which was introduced in July 2011.
“This Code of Practice is not legally binding and does not apply to the telecommunications sector,” says the report. “However, the General Data Protection Regulation, effective from May 2018, will make the reporting of data breaches to the DPC mandatory.
Typical examples of data breaches in the report include:
- inappropriate handling or disclosure of personal data, e.g. improper disposal, third-party access to personal data (either manually or online) and unauthorised access by an employee;
- loss of personal data held on smart devices, laptops, computers, USB keys, paper files; and
- network-security compromise/website-security breaches, e.g. ransomware, hacking, web site scraping.
In 2016, the report says there was a rise in the number of network-security compromises reported, with the number of notifications almost doubling from 12 cases in 2015 to 23 in 2016. Such cases typically include ransomware and malware attacks, it said.
There was also an increase in web site-security breaches reported to the DPC, up from 12 in 2015 to 16 in 2016. These types of cases usually involve online retailer sites that hold customer credit-card information; the attacker is primarily focused on scraping credit-card details from the site for fraudulent purposes.
IT-related data breaches are dealt with by the new Multinationals and Technology team within the DPC. This team reviews the “actions taken by data controllers in response to a such a breach and, where appropriate, advise organisations on further measures to strengthen system security to ensure non-recurrence of such IT-related breaches”.
The impending General Data Protection Regulation (GDPR), coming into force in May of next year, was an area of specific focus for the report.
“The next 12 months are all about GDPR–both getting ready as an EU data-protection authority and helping organisations get prepared. GDPR readiness will also have to include taking account of the emerging implications of the UK’s exit from the EU.”
“Significant efforts have been made during 2016 by the Irish DPC,” says the r2port, “and these will continue in driving awareness of data protection compliance issues for organisations. In this digital era, as technology hurtles forward, with artificial intelligence applications including driverless cars already waiting just around the corner, it becomes ever more critical that the data-protection rights of individuals are vigorously defended. The GDPR provides a new and more robust platform from which the Irish DPC can pursue this objective.”
GDPR has significant impact for data breach disclosure and data access requests.
The current statutory period to respond to an access request is 40 days. Under GDPR, this is lowered to one month.
“Once the GDPR comes into force on 25 May 2018,” says the report, “the DPC will be the lead data-protection authority for the regulation of multinationals that have their ‘main establishment’ in Ireland under the one-stop-shop model.”
“This model also requires us to cooperate with other data protection authorities on a regular basis on cases related to cross-border data processing. The Multinationals and Technology team will become the coordinating hub for this work, so that we can discharge our obligations most effectively and efficiently.”
The DPC said that it had “numerous interactions” with several multinationals on a variety of matters, including proposed new policies, products and services in 2016.
“Discussions with multinationals on their preparations for the introduction of GDPR also commenced during 2016, and we expect this type of engagement to scale up during 2017.”
Common tech issues
The report also commented specifically on what were deemed “common technology issues. Under this section, it identified three common data-protection issues.
The first of these was the fact that “many data controllers are not fully aware of their obligations, or do not discharge their obligations fully, in their engagement of data processors, as required by the Data Protection Acts”.
The report describes a “hands off” approach to data governance that results in a poor standard of measures in place to protect data. It reminds data controllers of the obligation to ensure that data processors have sufficient security practices in place.
The second common issue was the range of security measures in place, and the requirement for “multi-faceted,” layered solutions. The report said that too many organisations rely on a single type of security measure that does not address the range of risks encountered.
The last issue was around human error and misjudgement. The report urged an organisational standard of “think before you click” to combat such issues, providing awareness training and impact assessments for changes made in systems.
“We will continue to issue practical guidance notes and advice during 2017 on these common issues and other emerging technology trends, and these will also drive our planning of multinational audits for 2017,” the report said.