Businesses err on side of caution to report possible data breaches

A total of 28 were reported to the Office of the Data Protection Commissioner in the two months up to 13 December.

This compares with 26 reported breaches over the two months up to 18 October, the previous period.

Most reported incidents were low-level with no further action required. As with the previous reporting period, there have been a number of incidents where hackers have gained control of email accounts using social engineering techniques where staff are persuaded to release confidential information.

The ODPC also said it had a heavy caseload of ongoing investigations into breaches and complaints requiring significant further inquiry.

‘We continue to see local organisations engaging in their legal obligation to report data breaches to our office. This is an essential aspect of compliance as it requires organisations to proactively engage with the risks they face in protecting people’s personal information,’ said Emma Martins, Guernsey’s data protection commissioner.

‘It also ensures they robustly consider the impact a breach may have on the people whose data has been affected.’

The ODPC also said the increase in reported breaches was likely due to certain organisations erring on the side of caution by reporting incidents that do not necessarily meet breach criteria as well as businesses being increasingly aware of their legal obligation to report breaches.

However, the ODPC said it was encouraging all local organisations to continue with this cautious approach because this provided valuable intelligence to the real-world risks faced by them.

Breach report information is used by the ODPC to shape activities, particularly communications and regulatory action plan, and target its resources in the most effective way. It is currently working to improve its online breach reporting mechanism and wants comments submitted by email to enquiries@odpc.gg.