Statistics and Trends – Cyber Breach and Litigation

Published 17 diciembre 2021

As part of DACB’s annual Data Protection and Cyber conference this year, members of our Cyber team ran a session on the statistics and trends that were seen over the past 12 months. This included a high level overview of: the profile of breaches, the experiences with the ICO and data subject notifications. 

Breaches & Breakdowns

We have seen a substantial increase in both the volume of enquiries and new matters progressing beyond the initial enquiry, 85% up from last year.

In 2019/20, the matters we dealt with which involved breaches, contained mostly malicious breaches (83%). However in 2021, we observed that the proportion of non-malicious breaches had increased, with a split of 29% non-malicious and 71% malicious.

Ransomware remains the most common malicious breach type. Accidental disclosure of electronic documents remains our most common non-malicious breach type.

We also broke down our breach matters by client sector. For the second year running, Charity (22%) and Professional Services (14%) were our top two impacted sectors. This year we supported impacted clients in an increasingly diverse array of sectors, with the addition of Transport, Media, Sport and Construction.

ICO Experience

This year, DACB had a significant increase in matters which required notification to the ICO (more than double the notifications from 2019/20). We had 45% more matters that required notifications to data subjects.

It may be possible to attribute the increases in notification simply to the increased activity this year. In both 2019/20 and 2020/21, the percentage of our matters which progressed beyond the initial enquiry and were then notified to the ICO increased but remained similar (52% and 58% respectively). Additionally, where notifications to data subjects were made, DACB has observed a similar ratio of required notifications compared to voluntary notifications made across both years (2/3 required notification, 1/3 voluntary notification). Precautionary notifications may also be a factor.

It is promising to report that the ICO has taken no further action in all of the matters DACB have assisted with, for the second year in a row. We noted that 45% of the notifications to the ICO were closed without further investigation. The majority of these matters featured email compromises. 16% of the notifications to the ICO were closed after further investigation; the majority of these matters featured ransomware. The rest are ongoing investigations.

We analysed the average time it took for the ICO to close an investigation; we noted there appeared to be ‘peak times’ in July and December (see figure below.) Looking beyond DACB’s matters, the ICO has been active this past year with 34 monetary penalties and 17 enforcement notices, mostly concerning unsolicited marketing matters.

Data Subject Notifications and Compensation Claims

In 2020/2021, 26% of matters with data subject notifications resulted in claims being made; we found that there is no significant difference to this percentage whether the data subject notification was required or voluntary.

In our experience, the Letters of Claim we receive following data breaches are duplicated and contain non-specific legal arguments. They come from a concentration of claimant law firms we are familiar with. Approximately one quarter of all claims we receive are discontinued after receiving our Letter of Response.

We have also gathered data on the number of days passing between the breach incident and the letter of claim being issued. There are two clear spikes at ~3 months and ~1 year after the breach incident occurred.