UK ICO update on breach reporting

In a very welcome speech on 12 September 2018 to the CBI Cyber Security: Business Insight Conference, James Dipple-Johnstone (ICO Deputy Commissioner, Operations) summarised the UK ICO’s approach to security under GDPR and personal data breaches in particular.

The Deputy Commissioner confirmed the UK ICO’s continued pragmatism on the implementation of the GDPR, and in particular security measures.  We very much appreciate that our data protection authority continues to have such a commercial and reasonable approach.

For example, Mr Dipple-Johnstone noted that, where an organisation that suffers a breach engages ‘proactively to protect customers and the public the ICO will take that into account both in the type of regulatory response and also the scale of any enforcement action‘.

He went on to confirm that, as a regulator, ‘the ICO does not seek perfection … We seek evidence of senior management and board level insight and accountability.  We seek evidence of systems that provide a robust level of protection and privacy.  The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance.  For every investigation which ends in a fine, we have many audits, advisory visits and guidance sessions.  That is the real norm of the work we do.‘

All of which is very welcome to organisations using their best efforts to comply with GDPR.

The Deputy Commissioner went on to give the first ‘ready reckoner’ of breach reporting under the GDPR:

• roughly 500 calls a week have been made to the UK ICO breach reporting line since 25 May 2018,
• roughly 1/3 of those calls end up being for non-reportable breaches,
• (which means that 2/3 of the calls, or roughly 333 calls a week, are for reportable breaches),
• around 20% of reported breaches involve cyber incidents, of which nearly half are from phishing, 10% are caused by malware, 8% by misconfiguration, and 6% by ransomware,
• (which means roughly 80% do not involve cyber incidents).

Key trends include:

• organisations are struggling with the 72-hour requirement – it’s 72 hours from awareness, not 72 working hours,
• some reports are incomplete – there’s insufficient forward planning and not enough senior people involved in the reporting, and
• there’s an extent of over-reporting by some organisations,

As to over-reporting, Mr Dipple-Johnstone said that some controllers are ‘reporting a breach just to be transparent, because they want to manage their perceived risk or because they think that everything needs to be reported.  We understand this will be an issue in the early months of a new system but we will be working with organisations to try and discourage this in future once we are all more familiar with the new threshold‘.

Having helped many organisations with GDPR, we agree with Mr Dipple-Johnstone that this is to be expected in the early days.  Our view is that ‘managing perceived risk’ is likely the dominant factor, particularly given the fear of €10m/2% fines.  From seasoned Compliance Officers in regulated industries, to HR and Marketing professionals handed GDPR, all are struggling to judge that reporting threshold and very few are willing to be the person made a scapegoat if their view of a reportable risk attracts any criticism from regulators or, more likely, conservative professional advisers after the event.

We believe organisations will continue to ‘report if in doubt’ until there is more clearly-worded guidance from the Board (the replacement to the Article 29 Working Party) with more of the existing helpful practical examples when breaches need to be notified.  In particular, the guidance needs to focus on the change in likelihood and impact from:

• ‘unlikely to result in a risk’ – when no notification is required, to
• whatever the exact opposite is when notification is required.

One area many are struggling with is that the GDPR’s wording (in Article 33) is that controllers shall notify breaches ‘unless the personal data breach is unlikely to result in a risk’ (emphasis added).  This raises notification as the default position.  The position would be subtly different if the wording had been, for example, that ‘no breach is to be notified unless it is likely to result in a risk’.  (Article 33’s wording is not far off Article 9’s default position in relation to special categories of personal data.)  And what is the opposite to ‘unlikely to result in a risk’ – how likely does a risk need to be?

A further point of confusion is that risk management in information security settings, such as ISO 27001, typically evaluates risk by looking at both likelihood and impact, usually by scoring each on scale such as 1 to 5 and multiplying the two together.  Indeed, Recitals 75 & 76 talk of the ‘likelihood and severity of the risk’.  But Articles 33 & 34 seem to use ‘risk’ for ‘severity’: how does ‘unlikely to result in a risk’ relate to each of the likelihood and the severity of the risk?

The guidance needs to come from the Board so that it applies across the EEA – organisations are aware that the UK’s regulator (commercial, sensible and reasonable as it is) is often not seen as being as ‘tough’ as some others.  And organisations are processing data related to individuals across Europe – often asking which supervisory authorities should be notified in case of a breach.

While current guidance from the Article 29 Working Party (WP 250 rev_01 6 February 2018, building on WP 213 of 25 March 2014) does talk, in pages 23 to 26, of severity and impact, it reiterates Article 33’s wording.  And after describing factors to bear in mind when calculating risk, the Guidance states: ‘If in doubt, the controller should err on the side of caution and notify.‘

Returning to the topic of security, the Deputy Commissioner’s speech helpfully identified a common thread running through cases where the UK ICO has set higher fines: ‘the organisation’s own controls and culture contributed to the incident‘, and some areas in particular that all organisations are recommended to review:

• ‘poor board-level awareness of the risk to the organisation,
• incomplete or missing corporate records …,
• lapsed staff training,
• policies repeatedly not followed,
• understanding the DP risks of your supply chain …,
• investment in security deferred,
• poor data governance (particularly in test or product development environments),
• staff work arounds compromising security …, and
• obvious misconfiguration of systems leaving them open to long-known vulnerabilities‘

Mr Dipple-Johnstone finished by noting that a good data governance element to internal audit or assurance processes helps keep systems up to date and resilient, and helps ensure a good result from an ICO audit.

In summary, we very much welcome this key speech in the early days of GDPR’s breach notification regime – and the UK ICO’s continued pragmatism and reasonableness.  However, we believe more clarity is needed at an EU level for organisations to feel more confident in their notification decisions.