Global Privacy Chiefs Swamped by Cyberattack Investigations

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Privacy offices around the world have been inundated with data breach enforcement actions that distract from ensuring basic consumer privacy principles are being upheld, global data protection chiefs said Sept. 29.

Recent large-scale data breaches involving credit reporting service Equifax Inc., and pharmaceutical giant Merck & Co., are just a few examples highlighting the rise in cyberattacks.

“I do worry we are going to be swamped” investigating cybersecurity incidents, U.K. Information Commissioner Elizabeth Denham said Sept. 29 at the 39th International Data Protection and Privacy Commissioners Conference in Hong Kong. The increasing number of cyberattacks, and the media coverage they generate, could “diminish and take focus from the rest of the data protection principles,” she said.

But privacy offices may also find data breach cases attractive to pursue.

Cybersecurity investigations and resulting fines can be a “easy win” for privacy offices, Fred Cate, senior policy adviser to the Hunton & Williams LLP Centre for Information Policy Leadership and a professor at Indiana University Maurer School of Law, told Bloomberg BNA.

Still, cybersecurity safeguards are only one enforcement area that regulators should be focused on, Cate said. If they are burdened by large numbers of data breach investigations, they could overlook companies that don’t respect privacy principles by, for instance, not minimizing data collection or not being transparent about data processing, he said.

Enforcement Coordination

Data privacy chiefs at the conference also expressed the need to coordinate more with other agencies and regulators to ease investigatory burdens— and so companies are not faced with the need to respond to multiple groups in the aftermath of a cyberattack.

A cyberattack involving health data, for example, could lead to inquiries by data protection commissioners, cybersecurity agencies, and health regulators, Denham said. “For a private entity, if you’ve got three agencies landing on your doorstep in case of a cyber attack, that’s troubling.”

Often times, cyberattack investigations are “extraordinarily resource-intensive,” Timothy Pilgrim, Australia’s information commissioner, said. However, the rise in cyberattacks has brought data supervisors into contact with law enforcement and security agencies to effectuate investigations, he said.

For example, the recent Equifax data breach that exposed the credit reporting records of over 143 million U.S. consumers and many in the U.K. and Canada showed the willingness of data protection regulators to work together, Denham said. The U.K. privacy office worked with the U.K. National Cyber Security Center and the U.S. Trade Commission, in addition to other financial regulators and law enforcement agencies, she said.

“The takeaway message for us is we better get our co-regulatory and coordinating efforts together,” Denham said.

To contact the reporter on this story: Stephen Gardner in Hong Kong at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security