On the ICO website it clearly states that organisations suffering data breaches must report it within 72 hours of being made aware of the breach.
Lets be clear 72 hours. That equates to three days,
Not the 300 days it has taken the Electoral Commission to fess up to THE BIGGEST data breach in UK history.
For those that have missed the headlines The Electoral Commission reported a breach on 8th August 2023 having discovered in October 2022 that hackers were playing fast and loose with its systems since August 2021. This includes unfettered access to the names and addresses of at least 40 million people registered to vote between 2014 and 2022.
The eagle eyed of you may spot another potential GDPR contravention. Data should only be held for as long as it is needed (GDPR Principle e.). Did the Electoral Commission really need to keep voter PPI from 10 years ago for research purposes? Did they hell. That’s what anonymous trend data is for… Obviously storage limitation is a principle, not an article, and it is open to interpretation, but something tells me the Electoral Commission could be in hot water.
We recently published the results of our annual survey which investigates ICO enforcements, which you can read here: https://www.thesoftwarebureau.com/data-processing-security-is-key-data-concern-for-2023/
Whilst the most common actions taken over the past 12 months were for data processing and right of action, the second biggest fine of the year (£4.4m) was issued for a data breach that resulted in the data of 113,000 Interserve employees being accessed by third parties. 113,000 data records versus 40 million… watch this space.
The fact is the Electoral Commission, a public sector body, is setting a terrible example to the private sector. But beyond this, Rachel Aldighieri from the DMA raised a very important point: this could have a severe impact on public trust of the digital economy.
She commented: “High profile data breaches like this, rooted in a lack of communication and transparency, risk damaging the tireless work our industry has put in to build people’s trust. Data, and consumers’ willingness to share it, is a fundamental part of the digital economy.”
I’ve said it before and I’ll say it again data security, in whatever guise – cyber security, data processing security, encryption, access control and the like – are a business fundamental that cannot be taken lightly. And, the moral of the story, if you suffer a breach. Report it immediately.