Data and incident response a focus of cyber investigations

Out-Law Analysis | 05 Oct 2020 | 9:05 am | 2 min. read

The way businesses organise the data they hold and address security weaknesses identified in the aftermath of cyber incidents has come into sharp focus.

An analysis of cyber matters worked on during the year up to May 2020 by the cyber team at international professional services firm Pinsent Masons has found that data protection authorities are increasingly focused upon organisations' data categorisation and the way in which organisations respond to cyber incidents.

Analysis also shows that suspected initial 'over-reporting' of personal data breaches by organisations in the immediate aftermath of the introduction of the General Data Protection Regulation (GDPR) in the EU has waned, and that regulators too are becoming more efficient in their handling of notified data breaches and probes into such incidents.

Less over-reporting and more efficient case management

Under the GDPR, organisations must notify relevant data protection authorities of personal data breaches "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.

The introduction of those mandatory reporting requirements sparked a sharp rise in the notifications of such data breaches to European data protection authorities (DPAs) in the months immediately following the GDPR taking effect in May 2018. Some DPAs warned at the time of the risk of 'over-reporting', but the latest data suggests businesses now have a clearer understanding of what incidents are sufficiently serious to require reporting.

Davey Stuart

Stuart Davey

Senior Associate

In our experience, in cases where the ICO undertakes further investigation of breaches, the authority has also become more targeted with the queries it has raised

Of the UK cyber matters we advised on in the year to May 2020, 50% required notification to the Information Commissioner's Office (ICO), down from 61% the previous year. This change was in line with trends recorded by the ICO more broadly, which recorded 11,854 personal data breaches in 2019/20, compared to 13,840 in 2018/2019.

DPAs themselves appear to be becoming more efficient in the way they handle notifications of personal data breaches and other incidents.

In Spain, for example, the Spanish Data Protection Agency works with other bodies such as the Cryptologic National Centre and INCIBE, the National Cyber Security Institution, to offer businesses a single point for security breaches notifications. In Ireland we observed an increase in efficiency when it comes to the initial triaging of, and response to, breaches by the Data Protection Commission. In the last year alone, the DPC recruited 50 new staff, which may account for the enhanced efficiency. Similarly, in Hong Kong, despite an unprecedented surge in complaints in 2019, there were an increased percentage of complaints, investigations conducted and investigation reports published by the Office of the Privacy Commissioner for Personal Data.

The ICO in the UK has also shown itself to be much more targeted and efficient in its actions too. In the matters we advised on in the year to May 2020, 83% of cases notified to the ICO were determined by the authority within 30 days of initial notification, compared to little over a third of cases the previous year. With an additional year’s experience, the ICO appears to be more efficient at triaging reported incidents and closing those down which are not sufficiently serious to warrant any further investigation.

In our experience, in cases where the ICO undertakes further investigation of breaches, the authority has also become more targeted with the queries it has raised.

A fifth of the questions raised by the ICO concerned the categorisation of data. This indicates that it attributes high importance to organisations correctly classifying and categorising data, and in turn assessing its associated risk value. Effective data categorisation enables organisations to undertake an assessment of the impact of any incident on data subjects promptly, and as such determine at speed whether the obligation to notify data subjects about data breaches they have experienced is triggered under the GDPR.

The information commissioner has also previously said that the operation of a clear data asset register is a central component of businesses being able to demonstrate their compliance with data protection law and meet their accountability requirements under the GDPR.

The ICO's questions also revealed a greater desire to understand the measures put in place by businesses in response to the incident. The percentage of queries it raised concerning post-incident measures increased from 5% to 16% of all questions raised in the matters we advised on, with a further 16% of queries related to the existing measures in place at the time of a security breach.

This line of questioning suggests that the ICO is expecting organisations not only to contain the breach quickly, but also to assess the weaknesses in their systems which led to the security breach and to take appropriate steps to improve their security for the future.