A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 17 diciembre 2021
As part of DACB’s annual Data Protection and Cyber conference this year, members of our Cyber team ran a session on the statistics and trends that were seen over the past 12 months. This included a high level overview of: the profile of breaches, the experiences with the ICO and data subject notifications.
We have seen a substantial increase in both the volume of enquiries and new matters progressing beyond the initial enquiry, 85% up from last year.
In 2019/20, the matters we dealt with which involved breaches, contained mostly malicious breaches (83%). However in 2021, we observed that the proportion of non-malicious breaches had increased, with a split of 29% non-malicious and 71% malicious.
Ransomware remains the most common malicious breach type. Accidental disclosure of electronic documents remains our most common non-malicious breach type.
We also broke down our breach matters by client sector. For the second year running, Charity (22%) and Professional Services (14%) were our top two impacted sectors. This year we supported impacted clients in an increasingly diverse array of sectors, with the addition of Transport, Media, Sport and Construction.
This year, DACB had a significant increase in matters which required notification to the ICO (more than double the notifications from 2019/20). We had 45% more matters that required notifications to data subjects.
It may be possible to attribute the increases in notification simply to the increased activity this year. In both 2019/20 and 2020/21, the percentage of our matters which progressed beyond the initial enquiry and were then notified to the ICO increased but remained similar (52% and 58% respectively). Additionally, where notifications to data subjects were made, DACB has observed a similar ratio of required notifications compared to voluntary notifications made across both years (2/3 required notification, 1/3 voluntary notification). Precautionary notifications may also be a factor.
It is promising to report that the ICO has taken no further action in all of the matters DACB have assisted with, for the second year in a row. We noted that 45% of the notifications to the ICO were closed without further investigation. The majority of these matters featured email compromises. 16% of the notifications to the ICO were closed after further investigation; the majority of these matters featured ransomware. The rest are ongoing investigations.
We analysed the average time it took for the ICO to close an investigation; we noted there appeared to be ‘peak times’ in July and December (see figure below.) Looking beyond DACB’s matters, the ICO has been active this past year with 34 monetary penalties and 17 enforcement notices, mostly concerning unsolicited marketing matters.
In 2020/2021, 26% of matters with data subject notifications resulted in claims being made; we found that there is no significant difference to this percentage whether the data subject notification was required or voluntary.
In our experience, the Letters of Claim we receive following data breaches are duplicated and contain non-specific legal arguments. They come from a concentration of claimant law firms we are familiar with. Approximately one quarter of all claims we receive are discontinued after receiving our Letter of Response.
We have also gathered data on the number of days passing between the breach incident and the letter of claim being issued. There are two clear spikes at ~3 months and ~1 year after the breach incident occurred.
London - Walbrook
+44 (0)20 7894 6930
+44(0)117 918 2697
+44 (0) 20 7894 6377
Eleanor Ludlam, Pavan Trivedi
Charlotte Halford, Johanna Lipponen
Eleanor Ludlam, Charlotte Halford, Pavan Trivedi
Hans Allnutt, Alexander Dimitrov
Hans Allnutt, Tom Evans
Aidan Healy, Charlotte Burke
Eleanor Ludlam, Camilla Elliot
Eleanor Ludlam, Sonali Malhotra
Brett Randles, Annabel Walker
Hans Allnutt, Florence Clissitt
Justin Tivey, Charlotte Muzabazi
Alex Stovold, Tom Evans
Eleanor Ludlam, Alexander Dimitrov
Eleanor Ludlam, Jonathan Hopkins
Patrick Hill, Brett Randles
Patrick Hill, Hans Allnutt, Eleanor Ludlam
Patrick Hill, Phil Murrin, Jonathan Hopkins