Personal Data Breaches: Can ‘over-reporting’ be curtailed?

November 2021

The Information Commissioner’s Office has said organisations are over-reporting data breaches. One proposal discussed in the UK Government’s consultation on data reform aims to tackle this issue by raising the threshold for when organisations need to report a personal data breach.

Is this a good idea or not?

The number of reported breaches jumped dramatically after GDPR came into effect back in 2018, quadrupling the figures. Pre-GDPR, the ICO would receive around 3,000 notifications a year. Post-GDPR, it rose to more than 3,000 a quarter (2018/19).

You might argue this wasn’t surprising and no bad thing.

GDPR tightened rules around breach reporting, with increased potential penalties for non-compliance. The rise in reporting might suggest companies were taking heed of the legislation and holding their hands up to their mistakes.

Since then the figures have come down to around 2,300 a quarter (July – September 2021).

This still represents sizeable figures, the ICO is clearly overwhelmed and has specifically highlighted some organisations are reporting breaches when they don’t need to.

It’s worth noting most reported breaches aren’t investigated (one would hope because they aren’t serious enough); just 20% result in an investigation. Even then, not all investigations lead to enforcement action.

The UK is not alone, the European Data Protection Board (EDPB) says many supervisory authorities across Europe have experienced over-reporting too.

With this in mind, does the law need changing… or does the problem lie with our reporting habits?

Current data breach reporting obligations

At present, organisations must report a personal data breach unless it is ‘unlikely’ to result in a ‘risk’ to the rights and freedoms of natural persons.

The key to assessing whether to report to the ICO or not is in the supplementary guidance published by the UK Regulator and at a European level from the European Data Protection Board (previously Article 29 Working Party).

In broad terms, the ICO tells us we need to assess the potential adverse consequences of a breach for individuals, basing this on how serious these are and how likely they are to happen.

There is also helpful guidance specifically aimed at small businesses, which includes examples of incidents that would need to be reported and ones which wouldn’t.

The ICO points us towards EDPB guidance, which expands on how to assess the risks and the consequences we should consider, such as discrimination, identity theft or fraud, financial loss or reputational damage.

Proposal to revise the data breach reporting threshold

A reading of the UK data reform consultation reveals the Government considers the current threshold too low, and proposes raising it.

It also suggests current over-reporting is likely to be driven by organisations fearing the financial and/or reputation repercussions should they be found to have failed to comply with the obligation to report breaches.

This ‘better safe than sorry’ approach, the Government believes, is partly responsible for the significant spike in reporting since GDPR was introduced.

The idea, then, is to change the law so organisations must report a breach ‘unless the risk to individuals is not material’ – so organisations would need to consider materiality when deciding whether to report or not.

The ICO would be encouraged to provide new guidance on what would constitute ‘non-material’ risk, along with examples of what kinds of incident would be reportable and which wouldn’t.

Will this make a difference?

Many organisations are likely to welcome the threshold for reporting being higher. In our recent survey it was one of the most popular reform proposals.

Such a move could potentially both save organisations time, energy and costs, as well as easing the burden on the ICO.

However, in practice, organisations will still be required to assess what might be ‘non-material’ and will still be under the time pressure of having to notify a reportable breach within 72 hours of becoming aware of it.

Is there a danger one type of assessment will just be replaced with another, and businesses will still ‘err on the side of caution’, reporting anyway because they’re under the clock?

Whatever form the assessment takes, organisations will still need to be able to justify any decision not to report.

This also doesn’t necessarily address the issue of organisations reporting because they fear the consequences of failing to comply with the obligation to report breaches. There will still be an obligation to report, and within the same timescale.

I wonder if part of the problem is one of culture and perception. Does there need to be more assurance given to organisations? If they’ve acted in good faith, but are still deemed to have got it wrong, how will that impact on penalties for non-reporting?

There’s a difference between honest mistakes by organisations trying their best, and those who ignore the rules to save time and money.

How the courts are handling data breach claims…

A recent case provides some useful insights into how UK courts deal with claims relating to data breaches. Especially ones where, on the face of it, any risk to individuals seems negligible.

In the High Court case of Rolfe & Ors v Veal Wasbrough Vizards, the defendants were lawyers representing a private school. The case centres on an email regarding outstanding fees incorrectly sent to the wrong recipient. This person who received it immediately highlighted the error and confirmed they’d deleted it.

Nonetheless, the people who should’ve received the email brought a claim for damages for the misuse of confidential information, breach of confidence, negligence and damages under data protection law.

In a clear case of common sense jurisprudence, the Court found no credible case that distress or damage could be proved. It found the claim to be ‘plainly exaggerated’ and the suggestion that the Claimants could have suffered distress or worry was ‘frankly an implausible suggestion’ in the case of a single breach which was quickly remedied.

This case should offer a level of comfort to organisations, should they face low-level data breach claims (possibly facilitated by legal companies chasing post-GDPR data breach claims).

It also reinforces the fact that the ICO doesn’t need to be troubled with minor incidents, which may fall under the definition of a personal data breach, but are highly unlikely to have adverse consequences.

As the saying goes, de minimis non curat lex – ‘the law does not concern itself with trifles’.