[BreachExchange] Companies “over-reporting” data breaches as ICO takes 500 calls per week

Fri Sep 14 01:21:13 EDT 2018

http://www.itpro.co.uk/information-commissioner/31912/companies-over-reporting-data-breaches-as-ico-takes-500-calls-per

The Information Commissioner’s Office (ICO) revealed it has been
receiving 500 reports by telephone per week since GDPR came into
force, a third of which are considered to be unnecessary or fail to
meet the threshold for a data incident.

ICO deputy commissioner James Dipple-Johnstone revealed that
misconceptions are still commonplace among organisations more than
three months after GDPR came into force, leading to a large number of
needless calls to the regulator.

Speaking at the Confederation of British Industry’s (CBI’s) fourth
annual Cyber Security Conference, he added that one mistake many
businesses make is to believe that the mandatory reporting period is
72 'working' hours, whereas, in reality, this is 72 hours from the
point of discovery.

Many reports the ICO receive are also incomplete, and many tend to
“over-report” due to an inflated desire to be transparent, because
organisations want to manage their perceived risk, or just think they
need to report everything.

The update comes a fortnight after the law firm EMW obtained figures
via a Freedom of Information (FOI) request that showed the number of
the complaints between 25 May and 3 July this year climbed to 6,281
versus just 2,417 during the same period last year.

“We understand this will be an issue in the early months of a new
system,” Dipple-Johnstone continued, “but we will be working with
organisations to try and discourage this in future once we are all
more familiar with the new threshold.”

In addition to the update, the ICO was keen to allay any fears that
regulator was trigger-happy when it came to issuing fines.

“The small number of fines we issue always seem to get the headlines,
but we close many thousands of incidents each year without financial
penalty but with advice, guidance and reassurance,” he said.

“For every investigation which ends in a fine, we have dozens of
audits, advisory visits and guidance sessions. That is the real norm
of the work we do.”

Although fines of €20 million (or 4% of global annual turnover) are on
the table under GDPR, the ICO has repeatedly said in the past it would
not simply scale up the £500,000 maximum fine under the Data
Protection Act 1998.

Dipple-Johnstone added that businesses that take their data protection
responsibilities seriously “have nothing to fear from an ICO
inspection or investigation”.

Where headline-grabbing fines may be issued are instances where
organisations show poor board-level awareness, have incomplete or
missing records, have not trained staff, and have continuously
deferred security investment among other factors. In fact, in the
three months since GDPR, the ICO said it had already found evidence in
some reports of a lack of preparation, or an unwillingness on the part
of senior leadership to disclose sensitive information to blame for
uncooperative breach notifications.

Approximately half of the calls the ICO receives each week involve a
cyber element, while a third have involve phishing attacks.