|THIS BLOG POST IS NOT LEGAL ADVICE. Handling a data breach requires a careful assessment of the circumstances of each incident, and these recommendations cannot be considered alone nor as legal advice We recommend seeking professional legal advice from competent privacy counsel as soon as you suspect you may have a security incident which could constitute a data breach. To request legal assistance with your compliance program, please contact VeraSafe today.
In the event of a personal data breach, the EU General Data Protection Regulation (“GDPR”) sometimes requires a data controller to notify the appropriate supervisory authority (“SA”) and affected individuals. Under the GDPR, a data controller is the main decision maker, the one who determines if, how and why personal data should be processed. By contrast, processors act on behalf of, and only on the instructions of, the relevant controller.
Even if the personal data breach is the fault of a service provider who acts as a data processor, the controller is the one, under the GDPR, that is required to make these notifications, where required. If, as a data controller, you fail to meet the necessary GDPR data breach notification requirements, or drag your feet in doing so, your organization could face a fine of up to €10 million or 2% of its global annual turnover.
To provide clarity on when exactly a controller must notify an SA, the affected individuals, or both, the European Data Protection Board (“EDPB”) published a helpful set of example scenarios in their Guidelines 01/2021 on Examples Regarding Data Breach Notification (“Guidelines”). The Guidelines list 18 cases, categorized in six themes:
- Ransomware attacks
- Internal human risk sources
- Data exfiltration attacks
- Lost or stolen devices and paper documents
- Social engineering, such as identity theft and email exfiltration
These case studies supplement more general guidance from the European Economic Area (EEA) data protection regulators in 2018 about when and how notification is required.
Keep reading for an overview of these new Guidelines and factors to consider when it comes to data breaches, and discover how we can help your organization.
What Is a Data Breach?
A personal data breach occurs when the personal data for which your organization is responsible suffers a security incident, resulting in the accidental or unlawful destruction, loss, or alteration, or unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. Depending on the breach, the incident may result in a breach of confidentiality, integrity, or availability of personal data.
As a Data Controller, What Should I Do in the Case of a Breach?
Under the GDPR, you must document a data breach as it develops, including the facts, effects, and remedial actions taken. This assists the controller in demonstrating accountability to the SA , which may ask to see those records.
Whom to Notify
You should also notify the SA1 without undue delay (but within 72 hours of becoming aware of the breach), unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If that risk is high, you must also communicate the breach to the affected individuals, unless there are effective technical and organizational protection measures in place that ensure the risk is no longer likely to materialize.
If your organization acts as the data processor, you must notify the data controller without undue delay.
When to Notify
The EEA data protection authorities addressed the question of when a controller is deemed to be “aware” of a data breach in their guidance from 2018: a controller is aware when they have a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.
In some cases, it will be relatively clear from the outset that there has been a breach, whereas in others, it may take some time and forensic work to establish if personal data have been compromised. However, the emphasis should be on prompt action to investigate an incident to determine whether personal data have indeed been breached, and if so, to take remedial action and notify if required.
As soon as a controller is fairly sure that personal data protected by the GDPR have been compromised, it must assess whether it must notify the SA of the personal data breach. The notification must be done without undue delay and, where feasible, not later than 72 hours from the moment the controller becomes aware of the breach. If a controller fails to act in a timely manner and it becomes apparent that a breach did occur, this could be considered as a failure to notify in accordance with Article 33 of the GDPR.
The GDPR recognises that controllers will not always have all of the necessary information concerning a breach within 72 hours of becoming aware of it, as full and comprehensive details of the incident may not always be available during this initial period. As such, it allows for a notification in phases. It is common to make an initial notification to the authority and supplement it with additional information as it becomes available. You do not need to wait to make notification until you know all the facts of a data breach.2
Which Factors Should I Consider After a Data Breach to Determine Notifiability?
The Guidelines set out which factors are seen to increase or decrease the risk of a breach:
- Type and volume of personal data accessed
- Number of individuals
- Data restoration period
- Exfiltration of data by attacker
The factors also depend on the type of security incident. Personal data can be compromised by human error or data attacks, such as data exfiltration or ransomware attacks. The Guidelines list several helpful examples when notification is and isn’t required. We review those related specifically to Ransomware, below.
Do I Need to Report Ransomware Attacks?
In this section, we will explain the views of the authorities in the European Union and the European Economic Area on the obligation to report personal data breaches in the event of ransomware attacks.
Ransomware attacks involve malicious code that can encrypt data, including personal data. The attacker then holds the data controller at ransom in exchange for the decryption key.
|Example: A small manufacturing company’s computer systems were exposed to a ransomware attack, and data stored in those systems was encrypted by the malicious code. This affected the personal data of a few dozen employees and clients. However, the company had stored all data in encrypted form using a state-of-the-art algorithm and the decryption key was not compromised in the attack. The tracing logs of the company’s external cybersecurity experts were certain (and showed) that no data was exfiltrated. A backup was readily available and the data was restored within a few hours, which meant there were no delays in employee payments or handling client requests.
In this example, the risk is drastically reduced by the organizational, physical, and technological security measures taken by the company. The attacker could only access encrypted data that could not be read or used by the attacker. This reduces the confidentiality risk to the rights and freedoms of the individuals. The effects of the breach are also mitigated by the company having a proper backup regime.
Further, as the affected data was restored within hours, the breach did not have any significant consequences for the individuals.
Following a detailed impact assessment and incident response process, the authorities consider that it would be correct not to communicate the breach to the individuals or notify the SA in this scenario. The breach, however, must still be documented.
Which Factors Would Need to Change in the Example to Warrant Notification?
Let’s say the company only had a paper backup of the personal data, which took five business days to restore and led to minor delivery delays for customers. Here, the absence of an electronic backup increases the risk. Delays in deliveries could lead to financial loss for affected individuals. For both of these reasons, the SA should be notified of this breach. The Guidelines state that it could be argued that the financial loss for the individuals results in a higher risk and therefore, could warrant the need to inform them.
What if the attacker also managed to encrypt the electronic backup, exfiltrate the data and, on top of that, more sensitive data (such as identity documents and credit card details) were compromised? In this scenario, the authorities would likely sustain that the lack of availability of backups and the data exfiltration increase the risk significantly, as the details combined may lead to identity theft or fraud. Given the high risk to the rights and freedoms of the individuals, communication of the breach to them is considered essential to allow them to take steps to mitigate material damage. Documenting the incident and notifying the SA would also be mandatory in this case.
As a Data Controller, How Can I Prevent Data Breaches and Attacks?
The Guidelines recommend the following preventative measures:
- Keep operating systems, applications, and firmware updated on servers, networks, and devices
- Have a secure, up-to-date backup procedure
- Use effective anti-malware software
- Have effective firewall and intrusion detection and prevention systems
- Have state-of-the-art encryption and strong authentication methods
- Train employees on methods to recognize and prevent attacks
- Establish a computer emergency/security incident response team (CSIRT)
- Keep detailed logs (including patches, timestamps, etc.) that are forwarded to a central log server
- Perform regular vulnerability and penetration testing
The nature, sensitivity, and volume of personal data will determine the incident prevention, detection, and response measures needed. Data controllers handling sensitive data have greater responsibilities in terms of having adequate data security.
In most of the scenarios given in the Guidelines, retaining external cybersecurity experts counted in favor of an organization, not only for prevention but also for determining with greater certainty the extent of a breach. This, when coupled with an effective data breach response plan, lets you make an informed decision on the personal data breach notification strategy.
VeraSafe has vast experience in assisting organizations around the world assess and meet their data breach notification obligations and develop robust data breach response plans. With its combination of highly specialized cybersecurity and privacy experts, VeraSafe provides customized and up-to-date legal advice in the event of a data breach.
Data privacy is governed by complex laws and every organization’s approach will need to be tailored to its unique needs. As a well-established privacy law firm, VeraSafe can assist you in avoiding data breaches and handling notifications. We provide clients with data breach advice and notifications under the EU and UK GDPR, e-Privacy Directive, South African POPIA, PIPEDA, and the security notification laws of all 50 U.S. states, to name but a few.
Reach out to us here for a free consultation.
The SA that must be notified will be the competent national supervisory authority in accordance with Article 55 of the GDPR, unless the personal data breach affects cross-border processing. Whenever a breach takes place in the context of cross-border processing and notification is required, the controller will need to notify the lead supervisory authority. If the controller has any doubt as to the identity of the lead supervisory authority then it should, at a minimum, notify the local supervisory authority where the breach has taken place. Where a controller not established in the EU is subject to Article 3(2) or Article 3(3)of the GDPR and experiences a breach, it is recommended that notification is made to the SA in the Member State where the controller’s representative in the EU is established.
The Guidelines state: “the breach should be notified when the controller is of the opinion that it is likely to result in a risk to the rights and freedoms of the data subject. Controllers should make this assessment at the time they become aware of the breach. The controller should not wait for a detailed forensic examination and (early) mitigation steps before assessing whether or not the data breach is likely to result in a risk and thus should be notified.”