Privacy Update 2018
During the Cyber Risk conference on 12 March 2019, I gave an update on privacy and cybersecurity, particularly in the financial sector. This article is an adaptation of that presentation.
During the presentation, I spoke about three topics:
- A recent study about how the Dutch population think about privacy;
- The data breaches reported in 2018; and
- The privacy fines imposed in 2018.
Privacy in the insurance sector
But first we discussed the relevance of privacy in the insurance sector.
If we look at the ‘insurance customer journey’, it clearly shows that privacy can be important in all phases of the customer journey:
- Awareness: marketing towards (potential) insurance customers;
- Research & purchase: from orientation phase, quotation, acceptance, to concluding an insurance contract;
- Claim: reporting of damage, examination of the claim, payment or rejection of the claim;
- Renewal: possible adjustment of insurance conditions, extension or termination of the insurance contract.
Privacy update: We are worried about privacy.
Now it is time for the privacy update: How do Dutch people think about privacy? Are they worried, and what are we worried about?
The privacy authority in the Netherlands conducted a survey among 1,002 Dutch people aged 18-75, about whether they are concerned about their privacy.
94% of the people questioned have some concerns about privacy. And 1 in 3 Dutch people are very concerned about privacy.
Financial sector has a high ‘score’
What organizations are we concerned about?
79% of the surveyed people are very concerned about banks and insurers.
And 64% is very worried about pension funds.
So banks and insurers ‘score’ as high as tech companies; and that’s not good news.
What data are we concerned about?
We are particularly concerned about data relating to our credit score. 57% of people are concerned or very concerned about this.
The strange thing is that ‘credit score’ was combined with ‘criminal offences’ in the survey, while these are quite different types of data.
Update: notified data breaches in 2018
The Dutch Data Protection Authority has published a report (in Dutch only) about the notified data breaches in 2018.
Some interesting findings are:
- In the Netherlands, 20,881 data breaches were notified in 2018. In comparison: in the entire European Union, there were approximately 59,000 data breach notification in 2018. This means that the Netherlands were responsible for nearly half of all data breach notifications in the EU!
- The number of data breach notifications increased with 109%, compared to 2017. In the Netherlands, we have had a notification duty for data breaches since 2016, even before the GDPR entered into force. The large increase can be explained by the fact that there has been more ‘GDPR awareness’ and more fear of higher fines. Under the previous privacy law, the maximum fine for not notifying a data breach was 820,000 Euros. But under the GDPR, the maximum for this is 10 million Euros. That is a difference of more than 9 million euros.
- The healthcare and financial sectors are the largest data breach notifiers. Collectively, these two sectors account for more than half of the total number of notified data breaches, and are therefore the largest “notifiers”.
Humans are the biggest cause of data breaches
Not cyber attacks, but human errors are the main cause of the notified data breaches.
63% of the data breaches concerned personal data that were sent or handed over to the wrong recipient.
Only 4% of the reported data breaches were due to hacking, malware or a phishing attack.
The largest privacy fines in 2018
A few fines were already imposed in 2018, but most of these fines were still imposed under the ‘old’ privacy law. Below is a list of the highest fines from 2018. From this list, the highest fine was imposed in France, and the ‘lowest’ one in the Netherlands.
Google: € 50,000,000
Google has the ‘honor’ of receiving the highest fine imposed until now under the GDPR. Google received a fine of 50 million Euros from the French privacy authority (CNIL). The main reason? Insufficient transparency and unclear information about privacy.
Uber: € 600,000
In 2016, a large data breach took place at Uber, which also affected a lot of customer data in the Netherlands. But the large data breach was only reported to the Dutch privacy authority (AP) in 2017. The AP ruled that this was too late and imposed a fine.
The ‘old’ privacy law still applied in 2017, when a fine up to 820,000 Euros could be imposed. If this case was assessed under the GDPR, the fine would have been much higher (probably several millions of Euros).
Facebook: £ 500,000
Facebook was fined half a million British pounds in the United Kingdom following the large Cambridge Analytica scandal involving Facebook.
Equifax: £ 500,000
Equifax was the victim of a large-scale hack, in which the payment details of many people were stolen. The British privacy authority found that Equifax violated five privacy principles and imposed a fine of £500,000 on Equifax.
The fines of both Facebook and Equifax were imposed under the ‘old’ privacy law in the United Kingdom.
Theodoor Gilissen: € 48,000
The bank Theodoor Gilissen Bankers (now called Insinger Gilissen) received a penalty of 48,000 Euros for a violation of the right to access personal data.
What to expect in 2019?
In reality, there are probably many more data breaches that should have been reported. The ‘real’ number of data breaches in 2018 is therefore actually higher.
But how do you find out? For example, a data breach may become known if someone complains about it, or publishes about it in the media, while the organization itself had not reported this to the relevant Privacy authority. Then the organization is in real trouble.
The Dutch Privacy Authority has already indicated that it will pay more attention to unreported data breaches, and will issue higher fines.
2019 will be the year of the unreported data breach.