Are we becoming more aware of data breaches or are they are happening more often? The International Business Times published an article indicating that One In Three Americans Had Their Health Records Breached In 2015, As Hackers Follow The Money From Retail To Medical Data. While Cybersecurity experts have their work cut out to protect data and educate employees to help prevent future breaches, it is critical that companies understand their obligations when collecting, storing, and processing personal data.
Modern Data Privacy laws place obligations on companies controlling and processing Personal Data. For example, the General Data Protection Regulation (GDPR) (Articles 32-34) requires Data Controllers to notify regulators and, in some cases, affected individuals, within 72 hours of becoming aware of a breach of their EU Personal Data. Data Processors are under a similar obligation to notify affected Data Controllers.
What are the 5 steps of Data Breach Management?
STEP 1: DETERMINE WHETHER THE COMPANY HAS A POTENTIAL BREACH NOTIFICATION REQUIREMENT
Did a Breach Occur?
The GDPR defines a breach of Personal Data as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed (“Breach”).
A Breach has occurred if one or more of the following apply:
- Destruction: Personal Data has been inadvertently or unintentionally destroyed or deleted
- Damage: Personal Data has been wrongly altered, corrupted, or is wrongly no longer complete
- Loss: Personal Data may still exist, but the Company has lost control or access to it, or no longer has it in its possession
- Unauthorised or unlawful processing: Personal Data has been disclosed to, or accessed by, recipients who are not authorised to receive or access the data or has been processed in violation of the GDPR
For tracking purposes, Breaches can be categorised as follows:
- Confidentiality Breach: Unauthorised or accidental disclosure of, or access to, Personal Data
- Integrity Breach: Unauthorised or accidental alteration of Personal Data
- Availability Breach: Unauthorised or accidental loss of access to, or destruction of, Personal Data
If “Yes”, is Personal Data involved?
Personal Data is defined as any information relating to an identified or identifiable natural person. An identifiable natural person can be identified, either directly or indirectly, and, by reference to an identifier. Examples of information that may constitute Personal Data either alone or in combination, include, but are not limited to:
- Name
- An identification number
- Location data
- Photograph
- Genetic or biometric information
- Social media presence
- Online identifier
- Email address
- Date of birth
- Username
- Passwords
- Log-in Information
- Personal telephone number
- Date of birth
- Passport number
- Employment history
- IP address
- Mother’s maiden name
Personal Data is a broad and all-encompassing concept, that includes data that is tokenised or pseudonymised if it can be attributed to an individual with the use of additional information. When considering whether data is Personal Data, you should consider the following three questions:
- Does or can the information be used to identify a natural person?
- Can the information, if combined with or linked to additional information, be used to identify a natural person?
- Does the method by which the information is processed identify a natural person?
If “Yes”, does the GDPR apply to the specific Personal Data potentially impacted by the Breach?
- Is your Company established (located or operating) in the UK or EU?
- Is the Personal Data at issue a result of your Company availing itself of the EU market or monitoring behaviour of persons in the UK or EU?
- Does the Data pertain to employees, customers, or vendors located in the UK or EU?
STEP 2: NOTIFY THE SUPERVISORY AUTHORITY
If you are satisfied that the information contained in the Initial Incident Observation record merits reporting to a Supervisory Authority, then you should notify the relevant Supervisory Authority.
Where you are aware of a Breach but require additional time to fully investigate to understand its full extent, you should not delay initial notification beyond the 72-hour mark, but instead should supply as much information to the Supervisory Authority as possible and then supplement the initial notification with further details when they become available. This is known as a placeholder notification.
If very little is known or very little is expected to be known about the Breach before the 72-hour mark, you should provide an initial placeholder notification to the Supervisory Authority as soon as possible.
STEP 3: DETERMINE WHETHER THE COMPANY IS ACTING AS A DATA PROCESSOR OR DATA CONTROLLER
In the event of a Breach of Personal Data, you need to determine whether the Company is a Data Controller or a Data Processor because each carries separate notification reporting obligations.
A Company will be a Data Controller where it collects the Personal Data from Data Subjects and determines the purpose and the means of the processing.
A Company will be a Data Processor where it processes Personal Data on behalf of a Data Controller, under the Data Controller’s instructions.
Your Company will have catalogued this information as part of their Records of Processing (RoPA).
Data Processors
Data Processors are required to notify the Data Controller as soon as possible. You may have agreed on specific notification procedures and timelines. You should determine whether you have specific contractual reporting obligations. The Data Controller will likely need more information about the Breach. You should affirmatively keep the Data Controller abreast of all updates. Remember you are obliged to provide additional information to Data Controller upon request.
Data Controllers
Not all Breaches of Personal Data trigger notification obligation to the Supervisory Authority or Data Subjects. Data Controllers must determine whether the breach presents a risk to the Rights and Freedoms of Natural Persons. The risk analysis should be carried out using the criteria set forth in the table below against the following tests:
- Company must notify the relevant Supervisory Authority, where the Personal Data Breach is likely to result in a risk to the rights and freedoms of natural persons
- Company must additionally notify affected individuals only where the Breach likely creates a high risk to the rights and freedoms of natural persons
At the very least, the risk analysis should involve asking the following questions:
- Whether there is any potential that individuals may be impacted and
- Whether that impact is high
Almost anything could present a risk to the rights and freedoms of natural persons. The addition of one external factor may turn a non-risk into a risk. The standard for risk triggering notification obligation to the Supervisory Authority is required is a relatively low bar. Conversely, the standard for high risk triggering an additional report to the affected individuals, is a relatively high bar.
The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. The risk assessment, at the very least, should consider the following factors:
- The type of Personal Data Breach
For example, a confidentiality breach whereby medical information has been disclosed to unauthorised parties may have a different set of consequences for an individual to a breach where individuals’ medical details have been lost, and are no longer available - The nature and sensitivity of Personal Data
Usually, the more sensitive the data is, the higher the risk of harm will be to the people affected. However, consider the following:- The context: the name and address of a person is not seen as sensitive, however, if the name and address of an adoptive parent is disclosed to a birth parent, the consequences could be very severe for both the adoptive parent and child
Conversely, other personal data which is clearly public may not constitute a likely risk to individuals in other contexts - The potential uses of the data: Personal Data Breaches involving health data, identity documents, or financial data such as credit card details, can all cause harm on their own, but if used together they could be used for identity theft
- The context: the name and address of a person is not seen as sensitive, however, if the name and address of an adoptive parent is disclosed to a birth parent, the consequences could be very severe for both the adoptive parent and child
- The volume of Personal Data
Note that a small amount of highly sensitive Personal Data can have a high impact on an individual; and a combination of details can reveal a greater range of information about that individual. Also, a Breach affecting large volumes of Personal Data about many individuals can impact a corresponding large number of individuals - Whether “Special Categories” of Personal Data or data relating to criminal convictions and offences are involved
Damage should be considered likely to occur when the Personal Data Breach involves personal data that reveals or includes:
- Racial or ethnic origin
- Political opinion
- Religion or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purposes of uniquely identifying an individual
- Data concerning health or data concerning sex life
- Criminal convictions and offences or related security measures
- Ease of identification of individuals using the Personal Data, or by matching the data with other information
Consider whether, for example:- Identification could be possible directly from the Personal Data breached with no special research needed
- It would be extremely difficult to match Personal Data to a particular individual, but it could still be possible under certain conditions
- Identification may be indirectly possible from the breached data, using context and/or publicly available personal details
Note that pseudonymised data can reduce the likelihood of individuals being identified, but on their own, pseudonymisation techniques are not regarded as making the data unintelligible
- Severity of consequences for individuals
Consider the following criteria:
- Type of consequence – Especially severe consequences include identity theft or fraud, physical harm, psychological distress, humiliation, or damage to reputation
- Permanence of the consequences – The impact may be viewed as greater if the effects are long-term.
- Who may have accessed the Personal Data?
- If the Personal Data is in the hands of people whose intentions are unknown or possibly malicious, this can have a bearing on the level of potential risk
- The recipient may be considered “trusted” (e.g., where Personal Data is sent accidentally to the wrong department of an organisation, or to a commonly used supplier organisation)
Even if the data has been accessed, the Company could still possibly trust the recipient not to take any further action with it and to return the data promptly.
Note: the fact that the recipient is trusted may eradicate the severity of the consequences of the Personal Data Breach but does not mean that a Personal Data Breach has not occurred. Recording obligations will still therefore apply
- Whether negative consequences are possible
Regulatory guidance provides several examples of breaches which are or are not likely to result in a notifiable Personal Data Breach:
- If a confidentiality breach of encrypted data occurs (e.g., an encrypted USB device is lost), it is possible that this is unlikely to result in risk to individuals if the encryption is state-of-the-art and the encryption key has not been compromised (i.e., the data is in principle unintelligible)
- Other types of negative consequences may arise – e.g., if the Company has no back-ups (or the Company has back-ups, but they cannot be restored in good time) and the information is thus not accessible in a way which could case negative effects to individuals
- Special characteristics of the individual
A Personal Data Breach may affect personal data concerning children or other vulnerable individuals, who may be placed at greater risk of danger because of their special characteristics - Special characteristics of the Company
The special characteristics of the Company should also be considered when assessing risk. To the extent that the Company has characteristics which may have an impact, these should be part of the assessment
One example may be if the Company is involved in “risky processing activity” including but not limited to using “new technologies” to process data, large-scale processing (e.g., regional, national, supranational), or systematic and extensive evaluation of personal aspect based on automated processing on which decisions regarding individuals are based
If you determine there is a risk to the rights and freedoms of natural persons, notify the Supervisory Authority. However, if you determine there is no risk to the rights and freedoms of natural persons, there is no requirement to notify the Supervisory Authority. We suggest, however, that you consult your legal advisor for confirmation.
STEP 4: IF THE COMPANY IS A DATA CONTROLLER, DETERMINE WHETHER THE RISK IS A HIGH RISK
If you determine that there is a risk to the rights and freedoms of natural persons, you must go on to determine whether the risk is a high risk.
If you determine there is likely a high risk to the rights and freedoms of natural persons, in addition to notifying the Supervisory Authority, you must notify affected individuals.
You should consider and weigh the same factors as described above keeping in mind the potential impact (severity, duration of impact, etc.) the Personal Data Breach could have on affected individuals. Next, consider whether an exemption applies. The requirement to notify affected individuals will not apply in any of the scenarios below. However, hardship, effort, and/or expense on behalf of the Company are not exceptions and are not reasons for a delayed notification. We strongly suggest you obtain legal approval before using an exception.
Available exceptions are:
- The Company has applied appropriate technical and organisational measures to protect personal data prior to the Personal Data Breach, in particular those measures that render personal data unintelligible to any person who is not authorised to access it
- Immediately following a Personal Data Breach, the Company took steps to ensure that the high risk posed to individuals’ rights and freedoms is no longer likely to materialise
- It would involve disproportionate effort to contact individuals, perhaps where their contact details have been lost because of the Personal Data Breach or are not known in the first place
If you determine that the likely risk to the rights and individuals of natural persons is high, and an exception does not exist, you must issue notification to affected individuals, which must include the following information:
- Information on the nature of the Personal Data Breach
- The name and contact information of the DPO or delegate
- Likely consequences of the Personal Data Breach
- Measures which the Company has taken or proposes to take to address the Personal Data Breach, including any measures to mitigate its possible adverse effects
- Where appropriate, specific advice to individuals to protect themselves from possible adverse consequences of the Personal Data Breach
- Any other relevant information that the Company deems appropriate
The Personal Data Breach should be communicated to the affected individuals directly. The Company may decide which channels it wishes to use. The requirement is that communication is “transparent.” For example:
- Email, SMS, direct message
- Prominent website banners or notification
- Postal communications
- Prominent advertisements in print media
A message confined to a press release or corporate blog is unlikely to be deemed “transparent”.
STEP 5: RECORD BREACH IN AN INTERNAL DATA BREACH LOG
All Personal Data Breaches should be recorded regardless of whether the Company determines that it needs to notify the Supervisory Authorities or affected individuals.
The Company should maintain original copies of all Forms pertaining to the Incident and store them, or copies, with the Log.
Data Breach Management – How The Data Privacy Group can help
The Data Privacy Group is a premium OneTrust partner. Our team of experts are CIPP/E accredited and certified OneTrust Fellows of Privacy Technology.
We can implement and configure OneTrust’s Incident and Breach Management module, AI engine and Assessment Automation module to ensure you are guided through the process of assessing, recording and notifying breaches in compliance with the Data Privacy laws appropriate to your jurisdiction. Our on-going management services will ensure your breach response program remains evergreen by adjusting and updating the framework as your Company changes or as the law changes.
If you need help managing the breach, we can provide experts that have assisted many companies to assess and handle breaches in real time.
We can provide access to OneTrust Data Privacy training courses or, test your Breach Team’s readiness through one of our complex tabletop breach drills.
Whatever your needs, we are here to help.