The two months up to 13 December 2018 have seen 28 personal data breaches reported to The Office of the Data Protection Commissioner (ODPC).
The number of breaches has increased slightly, when compared with the previous reporting period of 26 reported breaches over the two months up to 18 October.
The increase is likely due to two factors: firstly, organisations are increasingly more aware of their legal obligation to report breaches; and secondly, certain organisations have erred on the side of caution by reporting incidents that do not necessarily meet the breach classification criteria.
The ODPC encourages all local organisations to continue with this cautious approach as this provides valuable intelligence to the real-world risks faced by local organisations.
Most incidents reported to the ODPC were low-level with no further action required. However, the ODPC has a heavy caseload of ongoing investigations into breaches and complaints that do require significant further inquiry.
As with the previous reporting period, there have been a number of incidents where hackers have gained control of email accounts using social engineering techniques.
Guernsey’s Data Protection Commissioner, Emma Martins, commented on the role of breach reporting and organisations’ duty to consider the people affected:
“We continue to see local organisations engaging in their legal obligation to report data breaches to our office. This is an essential aspect of compliance as it requires organisations to proactively engage with the risks they face in protecting people’s personal information. It also ensures they robustly consider the impact a breach may have on the people whose data has been affected.”
The ODPC uses the breach report information received to shape activities, particularly its communications strategy and regulatory action plan. Understanding where organisations are vulnerable enables the ODPC to target its resources in the most effective way.