How to Handle GDPR Data Breach: New EDPB Guidelines

In October 2020, fast-fashion giant H&M was hit with the second-largest GDPR fine a single company has faced. The retailer was fined €35.3 million (£32.1m) by the Data Protection Authority of Hamburg, Germany for the illegal surveillance of several hundred employees. 

H&M recorded employee meetings where sensitive information was disclosed. Some of this data was recorded, digitally stored, and accessed by the managers. The discovery of illegal data collection activities surfaced in October 2019 when there was a breach of the stored data that briefly made it accessible company-wide.

The same month, British Airways was fined €22 million ($26m) by the Information Commissioner’s Office (ICO) for a data breach that affected more than 400,000 customers. The Airways was fine for its failure to prevent the data breach due to poor cybersecurity measures. The breach was undetected for two months and exposed the credit card information and login credentials of employees.

In February 2020, hotel chain Marriott was fined a €20.4 million fine for the data breach that affected 83 million guest records. Marriot notified that the network of an unspecified hotel chain was hacked and that hackers who obtained the login credentials of two Marriott employees may have accessed the guest details. This is the second data breach by Marriott in recent years following a breach in 2018. 

We have fined British Airways £20 million for failing to protect the personal and financial details of more than 400,000 of its customers.

Read more about the investigation here: https://t.co/qCzdIsXZBh pic.twitter.com/6XDUzjaec0

— ICO – Information Commissioner’s Office (@ICOnews) October 16, 2020

Last year saw a record number of fines for non-compliance with the General Data Protection Regulation, especially personal data breach. According to an analysis by Linklaters, data breach notifications had an average increase of 66% compared to the first year the GDPR.

In fact in December 2020, Ireland’s Data Protection Commission (DPC) issued a fine of €450,000 ($547,000) on Twitter for failing to promptly notify and document a data breach under the GDPR. This is the first cross-border GDPR decision where a US-based tech firm has been fined.

On January 19 2021, The European Data Protection Board (EDPB) published the draft guidelines on data breach notification. The new draft guidelines complement the former guidelines issued by the Article 29 Working Party. The guidelines were open for public consultation till March 2, 2021. You can take a look at all the feedback received here. 

The draft guidelines provide insights into how data controllers should respond to and assess the risk of personal data breaches by providing “practice-oriented, case-based guidance”. The guidelines describe six common types of personal data breaches. It also details case studies on whether the breach should be notified to the Supervisory Authority (SA) and/or to the concerned individuals.

Under Article 33 of the GDPR, data controllers must notify a SA and data subjects within 72 hours of becoming aware of a personal data breach. It should be reported if the breach could pose a risk to the “rights and freedoms” of EU citizens, as spelt out in the EU Charter of Fundamental Rights. 

GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” 

Three types of personal data breaches warrant a data breach notification.

• Confidentiality breach, when there is an unauthorized or accidental disclosure or access to personal data
• Integrity breach,  when there is an unauthorized or accidental alteration of personal data
• Availability breach, when there is unauthorized or accidental loss of access or destruction of personal data 

Organizations are required to do internal documentation of a breach for each and every case, even if it does not require reporting.

We recommend that you consult the full text of the draft guidelines here. The guidelines analyses different types and causes of data breaches and puts forth specific organizational measures on a case-to-case basis.

This article will give you a high-level summary and notable examples from the EDPB guidelines.

The EDPB draft guidelines use 18 case studies or sample scenarios to contextualize different types of data breaches. It then provides guidance on how data controllers should “handle data breaches and what factors to consider during risk assessment.”

The EDPB approaches each case study methodically and considers:

• Prior preventive measures  adopted by the data controller
• The circumstances surrounding the breach and resulting risk 
• Steps to mitigate the breach
• The controller’s obligations for reporting and
• Advisable measures and guidelines 

Ransomware

Ransomware attacks usually constitute availability breaches, but confidentiality breaches may also be involved. The guidelines use the example of a ransomware incident when a company finds that the attacker only encrypted data without exfiltrating it. Since the company had a proper backup regime, the controller was able to restore the data sooner. As the breach was unlikely to result in a risk to the rights and freedoms, no communication to the data subjects is necessary, nor does the breach require a notification to the SA. 

In a similar ransomware attack on a hospital, patient data became unavailable for several days even though the backups were available. In this case, the hospital has to notify the SA and affected individuals as it is a high-risk scenario. 

The EDPB emphasizes the importance of a comprehensive evaluation of data security, with emphasis on IT security and data backup. The guidelines suggest up-to-date, effective and integrated anti-malware software, firewall and intrusion detection and prevention systems to mitigate ransomware attacks. 

Data exfiltration attacks

This type of attack exploits security vulnerabilities of the services offered by way of injection attacks (e.g. SQL injection, path traversal) and similar methods.  Hence, they are mainly breaches of confidentiality and sometimes data integrity. 

The guidelines use the example of a cyber attack on a banking website. The attacker leaks information regarding data subjects such as name, surname, gender, date and place of birth, fiscal code, user identification codes. This breach is categorized as high risk as the data could be used for the unique identification of the users. So, the SA and affected individuals have to be informed in this case.

The guidelines suggest ensuring updated IT security measures such as integrated firewall, intrusion detection and other perimeter defence systems, state-of-the-art encryption and key management, among other measures. The guidelines also highlight the use of two-factor authentication, strong user privileges and access control management policy.

Internal human risk 

Data breach due to human error is not an unfamiliar occurrence. Since these types of breaches can be both intentional and unintentional, it is hard for the data controllers to identify the vulnerabilities and adopt measures to avoid them. 

For instance, the employee of a company copies business data from the company’s database which he is authorized to access. But, after quitting the job he uses the data to contact the clients of the company for his new business.  Since the given breach is not high risk, a notification to the SA will suffice. But informing the data subject is a good practice if you do not want to infringe client confidence.

In this case, no prior measures could have been taken to prevent the employee from copying contact as he had legitimate access. There is no “one-size-fits-all” solution in such cases but a systematic approach may help to prevent them. 

EDPB suggests evaluation of privacy practices, procedures and systems including periodic employee training on security obligations. Other suggested measures are to implement access logs, provisions in employee contracts, disabling open cloud services and open mailing services.

Lost or stolen devices and documents

Loss or theft of portable devices is another common data breach scenario. It can be classified as a breach of confidentiality and breach of availability or integrity, in case there is no backup of stolen data.

According to the guidelines, a loss or theft of unencrypted data, particularly if it involves sensitive data, is a high-risk scenario. This will typically need to be notified to the SA and affected individuals. In case the data controller has remote access to the device and can wipe lost or stolen data, the risk will be lower and notification may not be required. 

The EDPB recommends the use of encryption and strong passwords including multi-factor authentication. For mobile devices such as tablets and laptops, the EDPB recommends MDM (Mobile Devices Management) software/app that enables the remote wipe as well as functionalities that can locate the device in case of loss or misplacement. 

Misposting

Sending personal information to the wrong recipient is another common type of data breach. Since there is no malicious intent, and little can be done after it happens, prevention is key. Some mispostings that involve few individuals are low risk, but EDPB still recommends notifying the data subject as their cooperation is required to mitigate any risk.

If the breach involves a larger set of data subjects, both the data subject and the SA should be notified. EDPB uses the example of an employment department accidentally attaching a  document with jobseekers’ personal data (name, e-mail address, postal address, social security number) along with an email sent to 60,000 of them. Since the number of affected individuals is considerable and also involves their social security number, the risk is high.

The EDPB recommends preventative measures such as implementing message delays and disabling the use of autocomplete when typing in email addresses, setting exact standards for sending letters/e-mails such as extra confirmation and listing the recipients in the ‘bcc’ field in case of multiple recipients. 

Social engineering

The guidelines also consider types of personal data breaches linked to social engineerings such as identity theft and email exfiltration. This type of personal data breach involves malicious actors getting access to personal data through fraudulent ways, identity theft or impersonation. 

Identity thefts present a high level of risk as information about the data subject’s private life may get leaked and could lead to material damage (e.g. stalking, risk to physical integrity). In such cases, both data subjects and the SA should be notified.

Data controllers must implement a high standard of authentication method to confirm the identity of the user, such as adding extra questions and requiring information only known by the user or sending confirmation requests. 

Email exfiltration could lead to both material damage (i.e. financial loss) and non-material damage (i.e. identity theft or fraud). It could result in a high-risk data breach and therefore requires notifying the SA and data subjects. Data controllers must implement incident detection systems and adequate data security provisions to detect an attack and limit the breach quickly.

• The type of the breach, nature, sensitivity, and volume of personal data affected will determine the impact and severity of the breach and the required response for data breach reporting.

• Conduct risk assessment when the data controller becomes aware of the breach. They should not delay the notification by waiting for a detailed forensic examination and mitigation steps.

• In high-risk cases, data breach should be notified to the SA without any undue delay. Complying with the 72-hour deadline could be unsatisfactory in such scenarios. Exceeding the 72-hour time limit is not advisable in any case.

• There is no requirement of data breach notice if the consequences of a data breach is minor and it causes minimal potential risks to the rights and freedoms of data subjects. But, internal documentation of a breach is an obligation for each and every case.

• Communication to the data subjects is essential, especially in high risk scenarios, so they can make the necessary steps to avoid material damage (e.g. block their credit cards). Even in certain low risk cases notifying individuals is advisable or necessary.

• Data controllers handling sensitive data have a greater responsibility to provide higher standard data security measures such as having a security operations center and incident prevention measures in place, and maintaining agile detection and response mechanism.

• Regardless of the outcome and the consequences of any data breach, all data controllers must have appropriate organizational, physical and technological security measures for data protection with particular emphasis on IT security.

• All data controllers should implement data breach policies and procedures and have clear accountability structures. Data breach management training for relevant personnel is also a good practice for achieving accountability and data protection by design.

• The EDPB also encourages drafting a handbook on handling personal data breach so that in  case of a data breach, there is an accessible source of information to allow data controllers to mitigate the risks and meet the obligations without undue delay.

In the two and half years since GDPR was implemented, there have been many cases of over-reporting of potential data breaches while some of the major breaches were not reported promptly. The updated, scenario-based guidelines will not only help data controllers to assess the need for data breach notification to the relevant SAs and data subjects. It will also be helpful in preventing over-reporting of personal data breaches. 

Are you looking for a cookie consent solution for GDPR compliance? CookieYes is a cookie consent solution for your website that will help you to comply with data protection laws like the GDPR and CCPA. Sign up for free today!