Boom in notifications to Privacy Authority for data breaches: findings from Annual Report 2021

On July 7, the Privacy Authority published its Annual Report (available here) which showed a significant increase in data breach notifications during 2021: namely, 2071 breaches notified (about 50 percent over 2020).

The reports, according to data provided by the Authority, involved both public (50.5 percent) and private (49.5 percent) entities, and in particular both small and medium-sized businesses and professionals, as well as large companies in the telecommunications, energy, banking and services sectors.

The most frequently encountered phenomena are the spread of ransomware malware, which have compromised the availability of data within server systems, workstations and databases of companies and, in some cases, have also affected the confidentiality of the information processed. Still, unauthorized or illegal access to personal data processed within complex information systems, accidental dissemination of personal data due to misconfigurations of e-mail management software systems have been verified.

The investigative activity carried out by the Authority following the notifications received had the twofold objective of examining the adequacy of the measures adopted by the data controller (or that it intended to adopt) to remedy the personal data breach or to mitigate its possible negative effects on the data subjects, as well as assessing the need to notify the data subjects involved of the breach.

The Authority’s report has led to the adoption of a number of measures both corrective and, in the most serious cases, sanctioning.

 For an in-depth discussion of data breaches, see here.