This article was first published by Thomson Reuters on 03 April 2018, who have agreed to Simmons & Simmons making it available on elexica.
"Tell it all, tell it fast, tell the truth." - a refrain familiar to any organisation regulated in the UK.
The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) demand openness and cooperation. The National Crime Agency (NCA) carries carrots and sticks to incentivise reports of known or suspected money laundering. The Office of Financial Sanctions Implementation (OFSI) wants to hear about sanctions breaches, HM Revenue and Customs cares about tax evasion and the Serious Fraud Office (SFO) threatens prosecution for any organisation that keeps quiet about a past involving bribery.
This year, however, that refrain comes from another regulator, the Information Commissioner's Office (ICO), which has joined the reporting chorus. With new powers under the General Data Protection Regulation (GDPR) from May 2018, the ICO will require organisations to report personal data breaches to it without undue delay, where these are likely to result in a risk to people's rights and freedoms. In addition, if the breach is judged to be high-risk, the ICO may advise, and indeed order, organisations to report the breach to the affected individuals.
In recent days, the ICO has shown new resolve, and attracted considerable publicity, by urgently seeking a warrant to search Cambridge Analytica and asking parliament for additional powers of investigation. But can the ICO manage the anticipated increase in data breach reports, even with new intimidating powers and penalties, from May 2018?
Reporting is best practice, not followed
Until 2018, telling the ICO about data breaches has been, in the ICO's view, best practice, but it is not evident that this practice has been followed.
In 2016/2017, 2,565 data security incidents were self-reported by organisations to the ICO. Yet, according to the 2017 Cyber Security Breaches Survey, a majority (51 percent) of UK businesses that held electronic personal data about their customers had experienced a cyber-security breach or attack in the last 12 months.
There appears to be a gap. Given the known incidence of cyber crime targeting personal data, not to mention the number of disclosures occasioned by accident or negligence, the level of reporting to the ICO does not stack up.
Recent statements from the FCA tend to agree with a culture of under-reporting, at least among regulated firms. The FCA suspects that there is "material under-reporting of successful cyber attacks in the financial sector" and recently reminded regulated firms that reporting of material cyber attacks is expected in accordance with their Principle 11 obligations.
The GDPR can be expected to close this gap, with its obligation to report personal data breaches to the ICO backed by the threat of sanctions for failing to report. If, however, the ICO does obtain its desired engagement from organisations, is it prepared to be "told it all", "told it fast", "told the truth"?
A surge in reporting: lessons from the SARs regime
To get ready for the GPDR, the ICO is apparently strengthening both its staff numbers and its level of expertise, and is "expecting more of everything", including breach reports. It has acknowledged that "[t] he public need to have trust and confidence that [it] is collecting and analysing information about breaches, looking for trends, patterns and wider issues with organisations, sectors or types of technologies". The ICO should be expecting a lot more information. One need only take a look back at the history of suspicious activity reports (SARs) to understand how a shift in focus and new legislation can exponentially increase the regulator's burden.
Between 1994 and 2000, the number of SARs disclosed ranged from 13,700 (in 1995) to 18,408 (2000). In the early 2000s, law enforcement objectives shifted to money laundering, and the Proceeds of Crime Act 2002 (POCA) introduced new money laundering offences, including the s 330 offence for regulated firms who fail to disclose suspected money laundering.
Perhaps unsurprisingly, the number of SARs escalated to the hundreds of thousands, reaching 220,484 in the year 2005/2006 and 419,451 in the last available report, for 2015/2016. That escalation in reports was accompanied by now-familiar criticisms of low-quality, low-risk and/or defensive reporting, overwhelmed agencies and the under-utilisation of intelligence.
The similarities to the current regulatory landscape are uncanny. The GDPR, like POCA, heralds a mandatory reporting regime with stiff sanctions at a time when multiple agencies, ie, the ICO, the FCA, the PRA, the National Cyber Security Centre (NCSC) and police, are all clamouring for organisations to focus on data protection. Equally, the standard for reporting under the GDPR requires a difficult (objective) judgement: when is there a risk to a person's rights and freedoms? Recitals 75 and 76 to the GDPR provide a list of factors, but ultimately, if in doubt, the guidance for organisations is to notify. With notional penalties of up to 2 percent of global turnover for failing to do so, data protection officers will pay heed.
The ICO can therefore expect to face an extraordinary increase in reporting in 2018. So, too, should other regulators such as the FCA expect an upswing in reports relating to data breaches, as businesses decide that multiple, parallel notifications are the safest route. The quality of reporting will undoubtedly display many of the same issues inherent in the SARs regime, chief among those being low risk reporting for defensive reasons. Regulators have a challenge ahead.
In particular, the ICO must take an important leadership role and be prepared to manage the increase in data breach reports, through user- friendly guidance, internal resourcing, innovative technology and information sharing, for the detection and deterrence of cyber crime and the identification of weak data protection controls. If the ICO wants organisations to "tell the truth", it had better be able to handle it.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.