The following is an opinion article written by Helen Nuttall (pictured), International BBR Services manager, Beazley. The views expressed within the article are not necessarily reflective of those of Insurance Business.
The introduction of the General Data Protection Regulation (GDPR) in May 2018 was a pivotal moment in data privacy. In early May 2018, the GDPR was more popular than Beyoncé, to the delight of privacy professionals across the world. Since then, the regulatory hype has diminished as companies of all shapes and sizes have spent the last 12 months grappling with its impact. In theory, the GDPR has become a business-as-usual compliance risk, but misconceptions, misunderstandings and legal grey areas remain.
Notification of data breaches
The GDPR introduced the obligation to report personal data breaches to regulators within 72 hours of discovery, unless it is unlikely that there will be a risk to data subjects. Unsurprisingly, this led to a significant rise in the number of data breaches and cybersecurity incidents reported to European regulators since the introduction of the GDPR.
The UK regulator, the Information Commissioner’s Office (ICO), reported a 490% increase in incidents notified to them in Q2 2018 compared to Q2 2017. The ICO has also reported that it was dealing with around 500 telephone calls to its breach reporting hotline per week in the aftermath of the GDPR coming into force. Of the notifications made to the ICO, a third failed to meet the threshold for reporting a ‘personal data breach’, demonstrating that many organisations either do not understand the reporting requirements, or are taking a cautious approach and are over-reporting due to a fear of possible regulatory action for failure to report.
The UK is not alone. In France, the Commission nationale de l’informatique (CNIL) reported a 64% increase in the number of breach notifications between May and September 2018 compared to the same period in 2017 and reported a huge increase in calls to its hotline and traffic on its online FAQ service. One of the more active German data protection authorities (DPA), the DPA of Baden Wurttemberg, reported a tenfold increase in the number of reported data breaches from 2017 to 2018.
Reflective of this upwards trend in breach reporting, Beazley’s international breach response services team saw notifications more than double between 2017 and 2018 and almost quadruple between the first quarter of 2018 and the first quarter of 2019 as organisations become more aware of their obligations, and data subjects more aware of their rights.
In 2018 and 2019, BBR Services handled an increasing number of breaches for US companies subject to the GDPR involving EU data subjects. The most common scenario involved business email compromise – where the email accounts of numerous employees are taken over by an attacker following a well-crafted phishing campaign. In several instances, HR employees were targeted, and they had personal information of EU employees residing in their inboxes. With the help of local counsel in the UK, the US companies were able to notify EU DPAs in a timely fashion. BBR Services also recommended a forensic investigation to determine if the attacker compromised sensitive information in the email accounts and whether any other email accounts had been taken over. Ultimately, in most instances, notification was required to a subset of the data subjects found within the inboxes, depending on the type of personal information accessed.
While regulators continue to wade through the backlog of breach notifications and privacy complaints filed under the GDPR, regulatory action under the GDPR has been relatively limited.
However, by the end of 2018, regulators had started to flex their muscles and issue the first fines under the GDPR. The Portuguese DPA fined a hospital €400,000 after employees accessed patient data through fake user accounts. The Austrian DPA imposed a €4,800 fine on a retail establishment with a surveillance camera capturing too much of the sidewalk. A German DPA fined a social media company, Knuddels.de, €20,000 after a hacker compromised over 800,000 email addresses and passwords that were stored in plain text. This surprisingly low fine was justified by the DPA on the basis that Knuddels fully cooperated with their investigation and committed to improving their data protection practices.
Since then, the same DPA has fined a business €80,000 for a lack of internal controls surrounding health data.
While these initial GDPR fines are on the smaller end of the spectrum, there are some significant cross-border investigations underway across Europe against US tech giants, and we are likely to see some big fines being imposed in 2019. In fact, the French DPA kicked off 2019 with a €50 million fine against Google for failing to properly disclose to users how data is collected across services. Importantly, the French DPA left open the possibility that Google could be fined for the same infringement by other DPAs as well.
In Ireland, the DPA reported that it was dealing with 38 personal data breaches involving 11 multinational technology companies from May 25 2018 to December 31 2018, so it seems like it is only a matter of time before it takes substantial regulatory action.
Perhaps indicative of an increasing willingness on the part of regulators to use their powers, we also saw regulators imposing higher than usual fines under the old law at the end of 2018 – for example, the ICO imposed a maximum fine against Facebook (£500,000), and we saw Uber fined by the ICO, and the French and Dutch DPAs in the space of a few months, with fines totalling €1.45 million.
The increased territorial scope of the GDPR has been cause for concern for many of our non-EU insureds. Many organisations spent 2018 considering whether their data processing activities might expose them to the GDPR’s reach. In November, the European Data Protection Board (EDPB), the EU body responsible for the application of the GDPR, released draft guidelines about the territorial scope of the regulation. These long-awaited guidelines shed some welcome light on the GDPR’s extraterritorial application, but many legal grey areas remain. We await publication of the final version over the course of 2019.
Helen Nuttall joined Beazley in April 2018 as an International breach response services manager. Helen is responsible for handling international breach incidents and overseeing breach management for policyholders outside the US and Canada who hold a Beazley Breach Response cyber policy. Helen also works closely with Beazley’s underwriters in the development of new cyber breach offerings.