After 25 May 2018 when new data breach notification laws came into force across Europe there was a massive increase in data breach reporting to regulators and many high profile breaches also were publicised in the media. In the UK alone, the Information Commissioner’s Office, the UK’s Data Protection Authority and GDPR enforcement regulator, said that the number of reports of data breaches had quadrupled since GDPR had come into force.
This does not necessarily mean that companies are being breached more frequently, but simply that they are now reporting such breaches more often. Data breach fatigue is just what it sounds like – the perception by consumers that hacking events and identity loss are unavoidable facets of everyday life. Actual victims of identity theft often report feelings of frustration and fear, whilst victims of data breaches often say that it is just business as usual, rather than expressing real concern.
How seriously should we take data breaches and what we should do if we find that our passwords have become available to potentially hostile third parties?
Under the EU General Data Protection Regulation (“GDPR”) personal data breaches which are likely to result in a risk of harm to affected individuals must be notified to data regulators. Where the breach is likely to result in a high risk of harm, affected individuals must also be notified.
Sanctions for failing to comply with the new notification requirements include fines of up to €10m or up to 2% of the total worldwide annual turnover of the organisation in the preceding financial year, whichever is higher. There is a very short deadline for notification to Data Protection Regulators. Organisations which determine the purpose and means of processing personal data must notify personal data breaches without undue delay and where possible, no more than 72 hours after becoming aware of it. Where there is a requirement to notify affected individuals, these notifications must be made without undue delay.
Across the 28 members of the EU, in the 9 months since GDPR has applied across Europe, there have been more than 60,000 personal data breaches notified to regulators. The Netherlands, Germany and UK had the most data breaches notified to supervisory authorities, with over 11,000 reports in the UK alone. Some of the most serious breaches have also been widely reported in the media. For example, British Airways warned that it had been hacked, and up to 380,000 customers payment card details were stolen. Serious breaches also affected Superdrug, Dixons Carphone and Ticketmaster, to name just a few.
Many of the fines imposed over the last 12 months have been under the pre-GDPR regimes, which typically allowed regulators to impose fines only at much lower amounts. The cap in the UK was up to £500,000. To date, 91 reported fines have been imposed under the new GDPR regime. Not all of the fines imposed relate to personal data breaches. The highest GDPR fine imposed to date is €50m. This was not relating to a personal breach, but a decision by the French data protection authority – the CNIL – to fine Google in relation to the processing of personal data for advertising purposes, without valid consent.
Whilst the fines have been relatively low so far, there has also been an increase in class action lawsuits against data controllers who suffer a breach. Notably, the British Airways breach led to the threat of a £500,000,000 class action suit by SPG Law, the UK branch of the US law firm Saunders Phillips Grossman. Under the GDPR, in addition to any direct losses suffered, for example, to unreimburse fraud, victims can seek “non-material damage” compensation. The claim, which has not yet been settled, calls for compensation for the “inconvenience, distress and misuse of their private information” arising from the breach. Other data controllers facing such claims include Morrisons. As claimants do not need to prove financial loss, it can be easier to bring claims in the UK or elsewhere in Europe than it is in the US. Class actions will only succeed if the types of loss suffered by all the claimants is similar. In a recent judgment, the High Court rejected a claim against Google brought by individuals who had their personal data accessed and sold. The case was dismissed even though the Court found that Google breached data protection laws during 2011 and 2012 and tracked and sold iPhone users’ personal data. The court set out important principles for when compensation is payable for the misuse of data. In the future these claims may be more difficult to bring unless those affected prove they have suffered the same types of losses and actual ‘damage or distress’.
Whilst consumers may become desensitised to reports of data breaches, people are better off knowing that their data is at risk so they can take appropriate action to protect themselves. Reporting breaches may also assist other organisations to learn from their peers. If the root causes of breaches are publicised, organisations can learn from that information to better secure their own systems.
So how do you stay safe online?
- Don’t post any personal information online – like your home address, email address or phone number.
- Think carefully before uploading pictures or videos of yourself. Once you’ve put a picture of yourself online most people can see it and may be able to download it and pass it on to their friends.
- Never give out your passwords (not even to your best friends).
- Remember that not everyone online is who they say they are.
- Think carefully about what you are typing before you post it online.
- Don’t download files or attachments from people or websites you don’t know. Check with an IT security consultant before you download anything unknown as it may be an unwanted message or harm your computer or mobile device.
- If you see something online that makes you feel uncomfortable, unsafe or worried: leave the website.
- Avoid sending out any photographs of you or your family.
- Never respond to any messages, particularly emails and telephone calls, that ask for personal data or to confirm your login details.
- Avoid using free wifi – connect devices such as laptops to your mobile phone ‘hotspot’ instead.
So what steps should you take if you become aware that your personal data has been compromised in some way?
- Determine what information was compromised: When you are notified about a data breach, the data controller should tell you the type of information that was compromised. For example, this may include your credit card number, email, birthday, password or other types of personal data.
- Calculate the extent of the breach: If your password for one website was compromised and you share passwords across many sites, you should take time to change each and every account that shares that password. This may also be a good time to reset all of your passwords and create new, strong, unique ones for each account. Try to avoid easy to guess passwords that a third party may be able to work out from your social media information, for example.
- Consider taking advantage of free credit monitoring if it is offered: Many companies offer free credit monitoring services in the aftermath of the data breach. You should consider signing up to the services offered. You may also want to consider placing alerts or freezes on your accounts with each of the major Credit Reporting Agencies. This is potentially a good time to request a free credit report. You should stagger these requests throughout the year, for example, one report each year for the main agencies.
- Self check: If you hear about a data breach on a website you have used recently such as British Airways or Ticketmaster, the owners of these websites should give you tips about how to stay safe online. A good source of information is the Action Fraud website which provides government approved tips. To check whether your email address has been part of a data breach and whether your personal data has been sold or posted online, enter your email address on haveibeenpwned.com. Be warned, the results may be alarming.
How to choose a safe password
- To create a strong password, simply choose three random words. Numbers, symbols and combinations of upper and lower case can be used if you feel you need to create a stronger password, or the account you are creating a password for requires more than just letters. Use unique passwords that combine words, numbers, symbols, and uppercase and lowercase letters: e.g. MFCIB2018 (My Favourite Colour is Blue). A line of a song that other people would not associate with you. Pick a phrase known to you, for example ‘Baby we were born to run'” and take the first character from each word to get ‘bwwbtr’.
- Use different passwords for different secure sites. For sites that do not store financial or private information, you may consider a common password. Whilst 12—15-character passwords are ideal, it is best to use at least 8 characters.
- Change passwords regularly, even if the site doesn’t require it. Changing every 60 days is ideal, but even twice a year is better than what most people do.
- If you must write down a password, write just a clue or abbreviated form — something that only you can decipher. However, still don’t leave the clue in obvious or easily found places.
- Consider a password utility service.
Whilst cyber crime and identity theft is on the increase, we recommend you resist the temptation to consider such events as inevitable and a price of being online. It pays to be vigilant and to react accordingly if your data is breached.