The 2019 DLP Retrospective
2019 was a dark one for data protection the world over. The number of data breaches spiked dramatically: the 5,183 that were reported exposed 7.9 billion records in the first nine months of 2019, with Risk Based Security researchers estimating that the year-end figure will reach 8.5 billion. The total number of breaches has increased by 33.3% from 2018 while the number of records breached more than doubled.
According to the Ponemon Institute and IBM Security’s 2019 Cost of a Data Breach Report, malicious attacks were the biggest root cause of data breaches, but only by a small margin. They accounted for 51% of data breaches, while the remaining 49% were due to human error and system glitches.
Many of the big data breaches of 2019 were opportunistic attacks that took advantage of weak security practices to steal data. Unsecured databases were a particularly recurring theme in some of the year’s biggest data thefts.
Data Breaches Got More Expensive
The cost of an individual data breach also increased this year, reaching a global average of $3.92 million/breach according to the 2019 Cost of a Data Breach Report. The United States had the highest average cost, with $8.19 million/breach, while the Middle East had the highest average number of breached records, 38,800. The healthcare industry was hit the hardest, averaging $6.45 million/breach, 65% more than the average cost of a data breach.
While big organizations can weather the storm brought on by data breaches and recover in the long term in their aftermath, smaller companies are not so lucky. Reportedly, many of them fold within six months of a major data breach. That’s not surprising given the overall cost of a data breach/employee: organizations with over 25,000 employees average data breach costs of $5.11 million or $204/employee, while companies with 500 to 1000 employees average $2.65 million, or $3,533/employee.
Data Protection Legislation Takes Over the Globe
In the wake of the EU’s General Data Protection Regulation (GDPR), governments around the world have taken steps to update existing privacy laws or have successfully pushed forward new data protection bills to align themselves to the new international standards and ensure that cross-border data transfers with the European block continue unhindered.
In 2019, the race for compliance switched continents, moving from Europe to the US as companies braced for the impact of the California Consumer Privacy Act (CCPA), the most comprehensive privacy law in US history which will be enforced starting mid-2020. This year brought several amendments to the CCPA that expanded mandatory data breach notifications to new categories of data as well as the first set of proposed regulations by California Attorney General Xavier Becerra.
Meanwhile, as talks of a US-wide federal privacy law intensified, Nevada quietly passed and enforced a CCPA-inspired update to its privacy law which granted its residents the right to opt-out of the sales of their personal information.
Brazil passed its comprehensive general data protection law, the Lei Geral de Proteção de Dados (LGPD) on 14 August 2018, but doubts about it ever being enforced emerged when then-president Michel Temer vetoed several acts of the bill before its passing, most notably those needed to create Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD).
2019 brought a much needed resolution: Brazil’s new president, Jair Bolsonaro, promulgated Law No. 13.853/2019 which amended some provisions of the LGPD and provided for the creation of the ANPD.
This year, Thailand’s National Legislative Assembly finally passed the Personal Data Protection Act (PDPA) on 28 February 2019, a law nearly twenty years in the making. After receiving a royal endorsement, the PDPA was published in the Government Gazette and passed into law. It is now set to come into force on 27 May 2020.
Elsewhere in Asia, Singapore has taken steps to update its Personal Data Protection Act (PDPA) in the wake of the disastrous SingHealth data breach, while both China and India have new sweeping data protection legislation in the works.
GDPR Fines are Here
The training wheels came off the GDPR this year as data protection authorities (DPAs) across Europe began issuing fines. While no company has yet to attract the full wrath of GDPR penalties, 4% of its global annual turnover, British Airways came pretty close, with the UK’s Information Commissioner’s Office (ICO) proposing a staggering €204 million fine amounting to 1.5% of the company’s global annual turnover in July 2019, for security failures that led to a breach which affected 500,000 of their customers. Similar security failures cost Marriott International around €110.4 million.
France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), went after US tech giant Google, slapping the company with a €50 million fine for lack of consent on ads.
The end of 2019 brought with it the first multi-million euro GDPR fines to Germany. In November, the Berlin Commissioner for Data Protection and Freedom of Information (BfDI) announced it had fined Deutsche Wohnen SE, a prominent real estate company, €14.5 million, its biggest fine to date, for retaining personal data for an unlimited period of time without checking whether the retention was legitimate or not.
In December, the BfDI issued another major fine of €9.55 million, to mobile services provider 1&1 Telecommunications for failing to take the appropriate technical and organizational measures to protect the processing of personal data.
The Austrian Post was issued with a €18 million fine under the GDPR after the Austrian Data Protection Authority found evidence it had processed the political affiliation of data subjects as well as relocation and package frequency data for the purpose of direct marketing.
Across the EU, there were 27 major fines issued, amounting to approximately €430 million, showing that data protection authorities now consider companies have had enough time to reach GDPR compliance. Any organization now found wanting will no longer have any excuses and DPAs have shown they are not shy about using the full extent of their powers to enforce the GDPR.