Hayes Connor insights: data breach trends in 2019
Scrutinising the past 12 months,Kingsley Hayes, expert data protection solicitor and MD of Hayes Connor, looks at some of the key trends and insights we are seeing in this evolving area of law.
The majority of data violations are entirely avoidable
Cybercrime and data breaches have become commonplace, with both private and public sector organisations failing in their data protection duties during 2019. But it is preventable human error, rather than cybercriminals, that is behind the vast majority of privacy violations.
In response, organisations now need to have a full audit of the personal information held, where it has come from and how it will be used. The flow of information, consent for holding and processing that information, and identifying whether an organisation can have and use this data lawfully are just some of the measures that need to be considered.
The ICO appears to be delaying its decisions
Despite our understanding of the ICO and its processes, we are concerned about the time some decisions are taking.
For example, in July, the ICO announced its intention to fine Marriott International £99,200,396 and British Airways £183.39m for infringements of the General Data Protection Regulation (GDPR). Following this announcement, both BA and Marriott International were given 28 days to respond. But this period has since passed.
The ICO has responded to questions about this delay stating: "Under Schedule 16 of the Data Protection Act 2018, BA [and Marriott] and the ICO have agreed to an extension of the regulatory process until 31 March 2020. As the regulatory process is ongoing we will not be commenting any further at this time."
It is impossible to know why such delays are happening. Some people suspect that political uncertainty in the UK (Brexit and the 2019 General Election) might have held things up. The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK. But, in practice, it's hard to justify why Brexit should cause such a holdup. Indeed, very little should change when it comes to core data protection principles, rights and obligations. The Data Protection Act 2018 currently supplements and tailors the GDPR within the UK. And it continues to apply.
There is also a suggestion that the ICO needs more resources in our new GDPR area.
Whatever the reasons for the delays, the length of time the ICO is taking to make a final judgement is making it difficult for victims of data breaches to move on with the rest of their lives.
More than 40% of ICO fines haven't been paid
As well as the delays, it has come to light that the ICO is still owed 42% of the total amount of fines it has handed out for data breaches, spam, and nuisance calling since 2015.
Does the ICO need more powers? Surely a change in the law is needed to make sure that organisations not only take their data protection responsibilities seriously, but that they suffer the consequences where they don't.
The law sits firmly behind the rights of individuals when it comes to data breach protection
In October, The Court of Appeal made a ruling on the Lloyd v Google case which may open the floodgates to data breach claims.
The Court decided that claimants would be entitled to compensation even if the only personal information breached was their email address. It also ruled that a claim would be valid without the requirement to prove a loss or damage as the loss of control of the personal information was sufficient grounds.
The ground-breaking judgement also clarified that firms representing only a portion of the total number of individuals affected in major data breaches, such as the British Airways and Ticketmaster incidents, can claim compensation for the entire population affected and can thereafter distribute the funds.
This is a very significant development which recognises that personal information has a value and when that private data is compromised, the individual has a right to compensation whether or not they have suffered actual, or potential, financial loss or psychological injury.
The ruling rightly adds further weight and consequence to any breach of personal data and is likely to open the floodgates as consumers become increasingly proactive about protecting their privacy rights and seek legal redress.
Businesses who are not already taking their data protection obligations seriously will have to step up their data protection practices or face legal action and hefty costs.
Data protection was at the forefront in the lead up to the general election
In a politically charged year, data protection was firmly intertwined with wider political developments.
The ICO wrote to all political parties at the beginning of November reminding them to adhere to data protection laws after concerns following its investigation in 2018 into how data analysis was being used for political purposes. And, in November, data security was front of stage again as news of two attempted cyber-attacks on the Labour Party were exposed. The party claimed that no personal data was breached in what was described as "large scale and sophisticated" attacks.
With significant amounts of private data is being stored, processed and shared by all political parties, the importance of robust cybersecurity measures at all times was firmly highlighted.
Also in November 2019, just before the UK General Election, Twitter announced that it would ban all political ads. It is likely that the ICO was happy with the move as it had already expressed serious concerns about how data is being used for political purposes. In fact, in 2017 it launched a formal investigation into this very topic. The Electoral Commission, a Department for Digital, Culture, Media & Sport Committee and The Institute of Practitioners in Advertising have also raised concerns about microtargeting voters profiled using unknown data.
Self-reporting has increased
The General Data Protection Regulation (GDPR), now requires organisations to report data breaches within 72 hours or face penalties. This is likely to be a critical factor in the number of data breach reports being made. On a positive note, anecdotal evidence suggests that businesses are getting better at identifying and reporting cyberattacks. And if organisations are now taking cybersecurity more seriously, this can only be a good thing for individuals.
Find out more in our 2019 Data Breach Report
At Hayes Connor Solicitors, we help our clients to claim data breach compensation following privacy violations, GDPR breaches and other cyber offences. A relatively new and evolving area of law, this is all we do. Consequently, we have become a specialist in data protection law, and we lead our field when it comes to understanding the complexities involved.
To help raise awareness of data breaches, each year we will be taking a look at some of the key developments that have occurred over the last 12 months. By shedding some light on events, we hope to raise awareness of the importance of data privacy. And help businesses and individuals to become fully protected in our increasingly online world.
Our2019 data breach reportis now available
In our report you can find out about:
- Recent changes to data protection law
- Key data privacy trends
- high-profile data breaches that have occurred this year
- ICO fines
- Where we are up to with key cases (e.g. Ticketmaster, BA, Equifax, etc.).
What's more, in 2019, we celebrated a number of significant wins and developments at our firm. And in this report, we share some of these with you.