September 17, 2018
Speaking at the CBI Cyber Security: Business Insight Conference on 12 September, the ICO’s Deputy Commissioner (Operations), James Dipple-Johnstone, revealed that the ICO has been receiving around 500 calls a week to its breach reporting line since 25 May 2018, and roughly a third of these are from organisations who, after a discussion with ICO officers, decide that their breach does not meet the reporting threshold.
Mr Dipple-Johnstone said that around one in five of reported breaches involve cyber incidents, of which nearly half are the result of phishing. Other than that, causes involve malware (10%), misconfiguration (8%) and ransomware (6%) amongst others.
Mr Dipple-Johnstone said that the key trends that the ICO is finding from its reporting system include:
- organisations are struggling with the concept of 72 hours as defined by the GDPR. It should be remembered that it is not 72 working hours: the clock starts ticking from the moment an organisation becomes aware of the breach;
- some reports are incomplete. Not all information will necessarily be to hand in the first 72 hours, but the ICO asks organisations to plan ahead and have people with suitable seniority and clearance to talk to them and be ready to provide as much detail as possible and explain when all the information will become available; and
- some controllers are “over-reporting” and reporting a breach to be transparent because they want to manage their perceived risk or because they think that everything needs to be reported. The ICO says it understands this will be an issue in the early months of a new system but it will be working with organisations to try and discourage this in future.
As for monetary penalties, the ICO’s approach to using its new powers is set out in its Regulatory Action Policy, which is currently with Parliament for approval. To date, the ICO has not yet issued any fines for breaches of the new regime in order to be able to share learning about its approach. To read the speech in full, click here.