Data breaches are a “time bomb”
, ,

Data breaches are a “time bomb”

Earlier this week, a leading security expert warned that data breaches are a now a “time bomb” with too many companies putting confidential customer information at risk.

The comments were made to the BBC by Bryan Sartin, head of global security service at telecommunications company Verizon. They were made following the publication of a report which analysed thousands of successful cyber-attacks.

The annual Verizon Data Breach Investigations Report (DBIR) collated information from more than 41,686 security incidents, of which 2,013 were confirmed data breaches that hit large and small organisations all over the world.

Speaking about the findings Sartin, said he was “surprised” more breaches had not become public and suggested that there are “probably some big situations queuing up right now”.

Key findings

Significant findings of the 2019 report include:

  • 52% of breaches were caused by hacking
  • 33% of breaches were caused by social engineering attacks (where people are manipulated into breaking normal security procedures in order for criminals to gain access to systems)
  • Cyber thieves are increasingly and proactively targeting C-level executives
  • 71% of breaches were financially motivated
  • 25% of all violations were associated with espionage
  • 29% of breaches involved stolen credentials.
  • 56% of breaches took months, or even longer to discover.

What can we learn from this report?

Under current data protection laws, UK companies that lose data face fines of up to 4% of their global revenues. Organisations are at greater risk of such penalties if they delay reporting data breaches and/or if they are found to have failed to protect personal data or clean up after a breach. So, it’s important that they take the threat of cyber-attacks very seriously.

Speaking about the latest findings, Hayes Connor managing director and data protection heavyweight Kingsley Hayes added his insight on this matter. He said: “Unfortunately, reports of a data breach time bomb are not exaggerated. In fact, we’ve been warning organisations about the level of risk they are exposed to since before GDPR.

“Having received thousands of enquiries from customers who have suffered as a direct result of a data breach caused by a cyber attack in the last twelve months alone, it has become clear to us that this is just the tip of the iceberg. And, disturbingly, the response provided by many of these organisations falls short of what we would expect. Businesses must do more to meet their data privacy responsibilities and provide adequate redress where they fail to do so, or risk increased compensation claims.

“But it’s also vital to highlight, that the vast majority of data breaches are not caused by cybercriminals, but by simple human errors and a failure to ensure robust security processes. And every day, these smaller data breaches are causing misery and upset to people across the UK.

“So, when it comes to data breaches, it’s just as important that businesses look at the threat from within, as well as putting measures in place to protect themselves from the bad guys.”

data breach trends

Hayes Connor insights: data breach trends in 2018

Scrutinising the past 12 months, Kingsley Hayes, expert data protection solicitor and MD of Hayes Connor, looks at some of the key trends and insights we are seeing in this evolving area of law.

A lack of care is rife

At Hayes Connor Solicitors, we have received more than 2,500 enquiries from customers who have suffered as a direct result of a high profile data breach. That’s in the last six months alone.

These cases saw breaches of personal, financial and sensitive data involving the likes of Ticketmaster, British Airways, Dixons Carphone and Facebook.

Disturbingly, the response provided by many of these large organisations falls short of what we would expect. In many instances, when a breach occurs the accepted risk management plan seems to be:

  1. Say sorry
  2. Provide free security monitoring software
  3. Promise it won’t happen again
  4. Advise the customer that there is nothing that they can do to remedy any losses they might suffer.

Such a noticeable absence of care over the very real impact of a data breach should not be tolerated or accepted.

In 2019 we would challenge businesses to do more to accept their data privacy responsibilities and provide adequate redress where they fail to do so.

If this challenge is not accepted, more and more customers will look for help to protect their privacy, and claim back from organisations where they have suffered loss. Put simply, to avoid the threat of data breach compensation claims, businesses must do more than pay lip-service to the idea of data protection.

The financial impact of data breaches is not immediately apparent

At this stage, it has become clear that the impact and losses people sustain following a data breach are not always immediately apparent. Indeed, at Hayes Connor, we have seen cases where the financial losses only start to occur three to six months later. This is often because data stolen is used in batches over time.

With major breaches now occurring weekly (particularly in the retail sector), we expect this situation to escalate. As such, more must be done to protect customers following a data breach – and this cannot be a short-term fix.

Individuals are becoming more aware of their data protection rights

The introduction of the General Data Protection Regulation (GDPR) in May 2018 coincided with a significant increase in reported data breaches. So it seems that the GDPR has created greater public awareness about individual rights.

Indeed, at Hayes Connor we are currently dealing with over 200 enquiries per month from consumers. Complaints range from the inappropriate use of email to the deliberate or inadvertent disclosure of sensitive, financial, and medical information to third parties.

In most of these cases, the victim of the data breach will have tried to engage with the organisation that has committed the breach and been either rebuffed or provided with a wholly inadequate excuse. In almost all cases the organisation at fault fails to recognise the damage caused by the breach and loss.

The emotional impact of data breaches is not been taken seriously by organisations

You can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

A personal data breach is a 21st-century version of being burgled. And, being the victim of a crime can have a substantial impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job.

According to Victim Support: “The effects of crime can also last for a long time, and it doesn’t depend on how ‘serious’ the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident”.

Crucially, the law understands the damage that can be caused by worry and upset. But it doesn’t appear that organisations do.

In our experience, companies and their representatives (be they legal or insurance based) are still responding with a pre-packaged “we won’t do it again” approach. This fails to recognise the full impact of the breach, which can be significant and of a psychological nature.

We’ve seen cases where experiencing a data breach has resulted in adverse life events such as having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury. And, like financial losses, this is often happening months after the initial breach was revealed.

As awareness of the impact of data breaches grows, so does the need for the breaching organisation to understand that they must assess each victim as an individual, and understand the repercussions of the offence. One size does not fit all.

The ICO’s approach doesn’t yet meet the needs of the individual

Over the last few months, we’ve paid close attention to how the Information Commissioner’s Office (ICO) has responded to data breaches.

In our opinion, the ICO has taken a proactive stance when it comes to commenting on large-scale breaches. This has no doubt been done to secure the attention of the media and politicians, and to make sure that organisations take appropriate action in the immediate aftermath of any breach.

While we understand this approach, we also believe that the still ICO requires education on the lasting a full impact of data breaches. Because to date, the experience of the individual is still being downgraded.

As it stands, the ICO is not coming down hard on organisations that are reporting data breaches and apologising for the violations. This can leave victims of data breaches wondering whether their suffering has even been taken into account.

For example, at Hayes Connor, we have experience of a particular organisation with a track record of committing data breaches that can only be described as atrocious. Over the last four years over 150 reported incidents of the same type have been made, and despite reported changes to process and internal governance, in the months leading up to the implementation of the GDPR another significant and life-affecting breach occurred. Unfortunately, for those involved in this case, the ICO’s response was less than satisfactory. We hope that, as time progresses, so too will the ICO’s approach.

The law is evolving when it comes to data protection

Of course, data privacy is still a relatively new area of law. So it’s to be expected that it is still evolving. Recently we have seen more emphasis on the relationship between privacy rights and data protection from a legal perspective. And this is good news for individuals as it means we can start a claim based on more than one ground (i.e. for the misuse of private information and for breach of data protection obligations).

Other significant developments include:

  • Making it much easier to bring claims for compensation for distress alone (rather than as an add-on to a financial loss claim)
  • The courts looking at a wider-range of factors when deciding on appropriate compensation (e.g. the consequences of the misuse of data, what information was breached, etc.)
  • The ability to hold organisations to account for data breaches caused by employees, third-parties, etc.

Also, the law now realises how important it is that cases are assessed in detail and on their unique merits.

Ultimately, while much has been achieved since the introduction of the GDPR, there is still a fair way to go before individuals can expect a standard of data protection we should all aspire too. And, until then, it seems likely that data breach claims will only continue to increase.

If you would like to contact us regarding a data breach case then you can do so here