A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 15 December 2022
Towards the end of the year is a good time to take stock and look at the bigger picture. This has become an annual event here in the DACB Cyber & Data Claims Team. Once again we have looked back over our caseload from October 2021 to October 2022, drawn out the key trends and compared with the previous year.
We are fortunate to have a significant volume of work and so have a good data pool. However we recognise that our cases are naturally skewed towards the types of work that sent to us by our clients and some readers will have an even bigger picture. Nonetheless we hope that our data provides an interesting perspective and maybe a sense check for some working assumptions.
Stats fans read on!
Profile of Data Breaches
In the last year our team has responded to 211 data breaches. This actually represents a small reduction from 2021 when we dealt with 230 but the number of cases progressing beyond support given in an initial call actually increased from 161 (70%) to 168 (80%). We suspect that tend to see the more difficult problems and the more routine support is often filtered out. This increase suggest the overall level of data breach problems is at a similar level or even increasing.
Around 11% of breaches had multi-jurisdictional issues and the most common size was up to 10 data subjects. This seems surprising as we handle many breaches with hundreds, thousands or tens of thousands of data subjects impacted. Although these larger breaches tends to dominate the time we spend the smaller breaches still predominate – in terms of numbers of cases at least.
Of the breaches handled 75% had malicious causes, a slight increase from 71% last year. Of these 59% were ransomware related (up from 48%), 31% were email compromises (up from 29%) and other malicious causes declined.
Finally the top 3 sectors we saw impacted were professional services firms (23%), financial services firms (13%) and the public sector (13%). These all figured highly last year but thankfully last year’s top sector – charities, has dropped down the list.
Experiences with the ICO
When considering the data in relation to the regulatory landscape, the past 12 months has been fairly consistent when compared to previous years. There have been 95 matters, which progressed beyond the initial enquiry or advice, that were notified to the ICO. Out of those, 56 were reported by DACB and 37 were completed by the client independently before we were engaged. Therefore a third of the matters were reported to the ICO without seeking legal advice or guidance.
The data also highlights the lag time between the breach occurring and when it is discovered by the client, with the maximum time between breach and discovery being 64 days and the minimum time amounting to no days i.e. immediate detection. This translates to a median of 4 days from breach to discovery.
There is also a fairly big distinction when comparing the time it takes the Regulator to investigate matters. The maximum number of days it took the Regulator to investigate a matter from open to closed was 109 days while the minimum was 2 days. This equates to median period of 22 days for the Regulator to investigate.
Once again, we are pleased to report that out of all the matters reported to the ICO in the last year, no regulatory action was taken.
Data Subject Notifications
We recorded that out of 168 data breaches handled in the preceding year, 12 required a mandatory notification to data subjects pursuant to Article 34 (1) UK GDPR and 19 incidents resulted in organisations informing data subjects of a data breach when it was arguably a requirement.
+44(0)117 918 2697
+44 (0) 20 7894 6377
London - Walbrook
+44(0)20 7894 6703
Hans Allnutt, Camilla Elliot
Jade Kowalski, Astrid Hardy
Hans Allnutt, Stuart Hunt
Astrid Hardy, Hans Allnutt
Louise Gallagher, Katie Anderson
Patrick Hill, Hans Allnutt
Hans Allnutt, Astrid Hardy
Aidan Healy, Alexander Dimitrov
Patrick Hill, Stuart Hunt
Astrid Hardy, Alexander Dimitrov
Patrick Hill, Sonali Malhotra
Hans Allnutt, Astrid Hardy, Amanda Fosu