New numbers out today offer another reminder of just how bad the security picture is. Right now, 59,000 breaches are currently being handled by GDPR regulators.
When European lawmakers set out to tackle the issues with privacy, they may not have realized just how severe the data breach problem truly is. While the intentions may be noble when they sought to create massive fines for businesses who neglect to protect user privacy, it’s possible regulators never foresaw just how big the problem of securing information is in the first place.
Back in January, we discovered that Europe’s GDPR (General Data Protection Regulation) laws saw 95,000 complaints come in. That, of course, is since the laws came into force back in June. Earlier this month, another statistic came out saying that only 30% of businesses even bother with encryption still. While those statistics paint a rather dark picture for how privacy is being handled, new data out today may change the picture again.
The new statistics show that GDPR regulators are currently dealing with 59,000 data breaches. While that number is daunting, a complimentary statistic of regulators handing out only 91 fines as a result might cause some to do a double glance. From CSO:
DLA Piper’s own analysis has counted 59,430 disclosed data breaches across Europe over the same period, with the Netherlands, Germany and the United Kingdom leading by far in the number of reports.
Together, these countries are responsible for nearly two-thirds of data breach notifications, with 15,400, 12,600 and 10,600 disclosures, respectively.
GDPR requires organisations to report the exposure of personal data to national data protection regulators and to the affected individuals within 72 hours after they become aware of such breaches.
It also mandates strict security measures for protecting data and fines for violations that can go up to of up to €10 million or two per cent of the worldwide annual turnover.
So, one question might be why there are less than 100 fines being handed out with so many breaches currently being handled. One possibility is that it’s only been 8 or 9 months since the law was put in place. Considering how delicate a data breach situation can be, that really isn’t a whole lot of time for such a huge volume of cases in the first place. That might actually be part of the problem. More from the report:
The number of fines and their value, excluding the one against Google, have been low so far compared to the number of disclosed breaches, but this might because regulators in some countries are still accommodating themselves to the increased supervision and coordination roles they now play.
“Regulators are stretched and have a large backlog of notified breaches in their inboxes,” the DLA Piper researchers said in their report.
“Inevitably the larger headline grabbing breaches have taken priority when allocating resources, so many organisations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified.”
So, it looks like there is a massive resource problem going on here. There are plenty of companies out there complying with the regulation, but since there are so many breaches out there happening on a daily basis, manpower to handle the volume quickly becomes a problem.
We here at Freezenet can definitely relate to this problem. When we report on breaches and leaks, we actually filter out a lot of the stories and report on the big ones. If it’s 100,000 accounts or larger, that is classified as noteworthy to us. Exceptions can be made such as the hack in Germany which saw almost every major politician hacked. So, even with this particularly large threshold we set, we actually had to set up a queue system for all the big leak and breach story out there simply because resources are limited just reporting on all the breaches in the first place.
The situation with security is that bad.
Of course, regulators are likely getting closer to more everything regardless of size of the leak or breach. So, they are getting a fire hose sized stream of cases every day flowing into their systems including leaks and breaches going unreported in the news and in the security researcher communities.
Now, the question is, how much in terms of resources is going to be needed to be poured in to help ease these problems in the first place? Obviously, since the law is so new, there is going to be a teething problem. So, that does open up the possibility that after a year or so, things will settle down somewhat once everyone is used to the new laws. It’s not a guarantee that this will happen, but it’s not entirely out of the question either.
If anything, this is showing that it’s going to be a while before the issues surrounding privacy finally get some kind of lid on it once and for all. Right now, there are more leaks than a soaker hose, so it’s going to take a while to sort everything out. Regulators are going to be in for a long road ahead at this point.
Drew Wilson on Twitter: @icecube85 and Google+.
