UK Data Breach Notifications Quadruple Under GDPR Laws Drew Wilson | June 1, 2019 The roaring success of Europe’s GDPR laws is continuing to pay dividends to users. Breach notifications in the UK have quadrupled. It seems that Europe’s General Data Protection Regulation (GDPR) is continuing to be a roaring success in Europe. The privacy laws were passed this time last year. European privacy advocates hailed the laws as a new era in respect for personal privacy. Within 7 months of the laws passage, statistics started coming in, showing just how successful the law has become. Thanks to the law, privacy whistle-blowing skyrocketed, going up a massive 165%. A month later, more data was released to the public. A statistic showed in January that the commission received a whopping 95,000 complaints. Again, this is all thanks to the GDPR. In February, another statistic was released, showing that regulators were dealing with a massive 59,000 data breaches. Once again, this is all thanks to the GDPR laws. Now, one year on, the roaring success of the GDPR laws is continuing. According to Bank Info Security, the number of Data Breaches being reported has quadrupled. Additionally, data security complaints doubled since the law took effect. Of course, that leads to an interesting question: is this because security incidences are going through the roof? As it turns out, the answer is “no”. From the report: The Information Commissioner’s Office, which enforces GDPR in the U.K., says that from May 25, 2018, until the beginning of this month, it received 14,072 data breach reports, compared to receiving just 3,311 from April 2017 through April 2018. The increase in data breach notification is a result of mandatory reporting driving better visibility, security experts say. Before last May, most organizations faced no legal obligation to publicly disclose a data breach. Now, however, they do, which means that more data breach discoveries have been coming to light. Meanwhile, information security experts have told Information Security Media Group that they don’t think the frequency of data breaches has increased or decreased significantly since GDPR went into full effect. “I don’t think it’s dramatically changed the number or volume of breaches that we’ve been seeing,” Paul Chichester, operations director at Britain’s National Cyber Security Center – the public-face arm of intelligence agency GCHQ – told ISMG at a press conference held during the NCSC’s recent CyberUK conference in Glasgow, Scotland Some might look at all this data and think, “Sure, people are complaining and investigators are investigating, but are we really solving the issue surrounding security?” The answer to this is that we are on the right path towards solving this issue. You have to keep in mind where we were before this GDPR laws took effect. More than a year ago and before, data breaches were something to keep secret. If a company suffers from a breach or a leak, the default response for most is to hide and deny it. This is because customers could theoretically sue the company or the reputation would be tarnished. So, obviously, notifying the customer is completely out of the question. If the customers information got used for fraudulent purposes, then, well, they probably won’t figure out it was because of negligence on the part of the company in the first place. That attitude about personal information permeated through the corporate world for years. There are, of course, exceptions where some companies had a sense of morality and disclosed the incident to their customer base. Most, however, didn’t, and put profit over the safety of their customers. So, when you have this kind of culture going on for so long, changing things around to the point where companies actually have a respect for users information across the board is never going to happen overnight. Still, this is something that pretty much requires government intervention because security is destined to be a failing of the so-called “free market”. The next question is what should be the next steps. As most security experts are happy to point out, awareness of security is an excellent place to start. While the classic example is to make sure employees are aware of security, GDPR is basically the same concept on an international scale. Companies are now reporting that, yes, they have had their information compromised. Whistle-blowing is holding companies accountable. Even average citizens are utilizing the new resources available to them to complain whenever a company oversteps their bounds. It can be easy to underestimate the significance of this. The fact that all of this happened within a year is actually quite seismic. The protection of personal information is no longer just empty promises made by representatives – that concern has legal weight. It’s not like GDPR is free of its detractors. In spite of all this positive data, there are still those who gripe about the laws. Mike Masnick of Techdirt, for instance, is still wringing his hands demanding to know why we can’t call these laws a failure. From his blog: This entire approach is backwards and silly. If we want to have better control over our privacy we’re not going to do it through demanding better privacy policies, or confusing data protection laws. We need to create the incentives to put the actual control of the data back into the hands of the users. And that doesn’t just mean a right to download your info. It means that you have full control over your data and get to control what apps and services can access it and for what reasons. That’s not the world we have today, and nothing in the GDPR gets us any closer to it. And the answer is not “more enforcement.” That just locks in the big companies even more and continues to present the roadmap to “follow” the rules, or to work the refs. Instead, if we moved to a system of protocols instead of platforms we could decouple the data from the service, putting real control of the data back in the hands of end users. Then things like privacy policies and GDPR enforces wouldn’t matter so much, because we’d have direct control over our data. And, sure, there have been a few fines of internet companies, but as recent GDPR complaints show, there does not appear to be any way to actually fully comply with the GDPR, which makes it a particularly useless law. If you can’t actually comply, if it’s not actually protecting privacy, and it’s just annoying users and creating more bureaucracy, what good is it? The thing to remember about Masnick is that his default position generally is that all regulation and government intervention is inherently bad. While that is a politically attractive perspective from an American standpoint, for any non-partisan analysis, it’s pretty much a non-starter to begin with. The complaint that the GDPR laws doesn’t give power to the user is particularly bizarre given that user complaints are measured in the tens of thousands. Investigations being launched are also measured in the tens of thousands. The complaint that only a handful of fines have been handed out is an extremely narrow interpretation of the data. First of all, over 56 million euro’s in fines have already been dolled out. Additionally, the reason why only about 100 fines have been handed out so far is because there is a massive resource problem happening. Here’s our analysis from back in February: So, one question might be why there are less than 100 fines being handed out with so many breaches currently being handled. One possibility is that it’s only been 8 or 9 months since the law was put in place. Considering how delicate a data breach situation can be, that really isn’t a whole lot of time for such a huge volume of cases in the first place. That might actually be part of the problem. More from the report: The number of fines and their value, excluding the one against Google, have been low so far compared to the number of disclosed breaches, but this might because regulators in some countries are still accommodating themselves to the increased supervision and coordination roles they now play. “Regulators are stretched and have a large backlog of notified breaches in their inboxes,” the DLA Piper researchers said in their report. “Inevitably the larger headline grabbing breaches have taken priority when allocating resources, so many organisations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified.” Of course, this fact was conveniently glossed over by Masnick who simply criticized people by saying that it’s just a “wait and see” situation. The reason for this is obvious: regulators were simply not prepared for the raw magnitude of monitoring breaches in the first place. If you have a hundred investigators investigating 60,000 breaches, math simply takes over and the inboxes get completely flooded. How would you feel if your first day on the job involved you getting your login credentials and you instantly got slammed with 600 cases to investigate? At the end of the day, the fines handed out (which is from clear back in February) is only showing a resourcing problem, not a failing of the law itself. If anything, this problem only showed just how badly the laws were needed in the first place. If we turned back the clock and cancelled GDPR, just imagine how much worse the situation would be for over 50,000 breaches simply going unreported. Even the comments section of Masnick’s posting had people disagreeing with Masnick’s analysis. One anonymous user writes: Sorry guys; speaking as someone who actually had (and has) to do this; a year on the positive column more than outweighs the negative. In my business the road to compliance has vastly improved not just the direct management of personal data but also business processes as a whole and greatly improved security awareness. Looking a number of the so-called negative points above clearly many of them are ‘as expected’ or actually good news. M&As failing with businesses over concerns of GDPR practices? Seems a sign that it’s working well, not badly. Some people seem to have forgotten that in market economies some business need to fail; this is a good thing! Another user vouched for that perspective: As a (reluctant and unwilling) privacy professional who doesn’t need the work, you are spot on. The state of personal data management in almost every enterprise before GDPR was abysmal. Certainly firms that had to comply with COPPA had some practices in place, but there’s a reason everyone who could ran screaming from COPPA compliance for the last decade. The very fact that businesses now have the procedures in place to even know what data they have and where it is going is a fundamental sea change and GDPR is responsible. I’ll be the first one to say that it’s horribly drafted, overbroad, and relies on a number of terrible premises and assumptions, but a total failure? It’s doing exactly what it was intended to do (among many other things). A third comment: You complain that potential fines could destroy companies, and you complain that no companies were destroyed for breaking the rules. The entire point was to for fines to start small, then if companies don’t clean up their act, gradually ramp them up until they really start to hurt. In fact, I believe I read an article or two where you pointed out the uselessness of “slap on the wrist” fines (of course, you weren’t talking about GDPR). You see companies doing things “to comply with GDPR”, and you complain that GDPR is wrong and there is a better way. However, those companies are actually not in compliance and GDPR is really close to what you want. You’re arguing about short-term negative economic impact without any attempt at looking for a positive impact. You could do a very similar analysis about, say, environmental regulations. You’re arguing that since the entire Internet didn’t become a privacy haven in one year, it means the GDPR failed. Aren’t you underestimating both the inertia of 3+ decades of Internet free-for-all, as well as the molasses-like slowness of federal bureaucracy? I agree with a lot of your positions. On those I disagree with, I can usually at least see where you’re coming from. But your reaction to GDPR has completely mystified me. Must be one of those European<>American cultural differences… We’re pretty much on side with that perspective for the most part. There are plenty of things we can agree on, but the debate on GDPR is where we find ourselves on opposite sides of the debate. All the data that we have gathered up to this point has shown that GDPR has done a lot of good on the privacy front. Change on attitudes for privacy from a corporate perspective were never going to happen overnight. In spite of that, GDPR has been doing an impressive job at moving that mountain. The progress GDPR has already accomplished is actually a very impressive accomplishment if anything. Drew Wilson on Twitter: @icecube85 and Facebook.