Towards the end of the year is a good time to take stock and look at the bigger picture. This has become an annual event here in the DACB Cyber & Data Claims Team. Once again we have looked back over our caseload from October 2021 to October 2022, drawn out the key trends and compared with the previous year.
Stats fans read on!
Profile of Data Breaches
In the last year our team has responded to 211 data breaches. This actually represents a small reduction from 2021 when we dealt with 230 but the number of cases progressing beyond support given in an initial call actually increased from 161 (70%) to 168 (80%). We suspect that tend to see the more difficult problems and the more routine support is often filtered out. This increase suggest the overall level of data breach problems is at a similar level or even increasing.
Around 11% of breaches had multi-jurisdictional issues and the most common size was up to 10 data subjects. This seems surprising as we handle many breaches with hundreds, thousands or tens of thousands of data subjects impacted. Although these larger breaches tends to dominate the time we spend the smaller breaches still predominate – in terms of numbers of cases at least.
Of the breaches handled 75% had malicious causes, a slight increase from 71% last year. Of these 59% were ransomware related (up from 48%), 31% were email compromises (up from 29%) and other malicious causes declined.
Finally the top 3 sectors we saw impacted were professional services firms (23%), financial services firms (13%) and the public sector (13%). These all figured highly last year but thankfully last year’s top sector – charities, has dropped down the list.
Experiences with the ICO
When considering the data in relation to the regulatory landscape, the past 12 months has been fairly consistent when compared to previous years. There have been 95 matters, which progressed beyond the initial enquiry or advice, that were notified to the ICO. Out of those, 56 were reported by DACB and 37 were completed by the client independently before we were engaged. Therefore a third of the matters were reported to the ICO without seeking legal advice or guidance.
The data also highlights the lag time between the breach occurring and when it is discovered by the client, with the maximum time between breach and discovery being 64 days and the minimum time amounting to no days i.e. immediate detection. This translates to a median of 4 days from breach to discovery.
There is also a fairly big distinction when comparing the time it takes the Regulator to investigate matters. The maximum number of days it took the Regulator to investigate a matter from open to closed was 109 days while the minimum was 2 days. This equates to median period of 22 days for the Regulator to investigate.
Once again, we are pleased to report that out of all the matters reported to the ICO in the last year, no regulatory action was taken.
Data Subject Notifications
We recorded that out of 168 data breaches handled in the preceding year, 12 required a mandatory notification to data subjects pursuant to Article 34 (1) UK GDPR and 19 incidents resulted in organisations informing data subjects of a data breach when it was arguably a requirement.