Right now 92% of businesses believe their data is NOT secure.
With the update to the GDPR now less than a year away, that lack of confidence will not
bode well when it comes to compliance. The new GDPR, which involves stricter regulation, will impose a duty on all organisations to report data breaches to the relevant supervisory authority, and in some cases to the individuals affected. Therefore, should an organisation’s data not be properly secured they could be looking at a number of violations, sanctions, and fines.
It should be understood that any organisation handling sensitive data is going to face the challenges of dealing with a data breach, no matter how small or large the organisation. These breaches can come from malicious hackers or well-intentioned employees. Understanding the ins and outs of data breaches will play a key role in developing an aligned response strategy.
What is a personal data breach?
A personal data breach is defined by the Information Commissioner’s Office (ICO) as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. For example, a General practitioner could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls.
What breaches do I need to notify the relevant supervisory authority about?
If a breach is likely to put an individual’s rights at risk you must then notify the relevant supervisory authority of a breach. This would be defined as something that is likely to have a significant detrimental effect on individuals, i.e. resulting in discrimination, damage to reputation, financial loss, loss of confidentiality or any other economic or social disadvantage.
One recent breach that occurred and required reporting was at Waymo (Google):
– A Waymo (Google) employee downloaded 14,000 proprietary technical files on an external drive 6 weeks before resignation. He used this information to start his own company, developing software and hardware kits for self-driving commercial trucks. His company was later acquired by Uber. The breach was discovered because a Waymo supplier accidently sent an email, which was meant for the Uber team, to Waymo. That email contained proprietary information and was a clear example of a reportable breach.
When do individuals have to be notified?
Slightly different than the threshold for reporting to the supervisory authority, individuals must be notified directly when a breach is likely to result in a ‘high risk’ to the rights and freedoms of individuals. A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.
A couple examples of breaches that recently occurred that would require individual notification:
– Two breaches occurred at AT&T involving call centers. The names, phone numbers, and last 4 digits of the Social Security Numbers for nearly 500,000 accounts were collected and exposed. In addition to paying civil penalties to resolve investigations into consumer privacy violations, AT&T was required to notify all customers, pay for credit monitoring services, and appoint a senior compliance leader.
– A laptop and portable hard drives containing personal information was stolen from the Office of Child Support Enforcement in Washington, which is part of the U.S. Department of Health and Human Services (HHS). The Intruders, who reportedly broke in using a key from a disgruntled former employee, caused a significant amount of damage. The devices contained personal information on as many as 5 million individuals, including Social Security numbers, birthdates, addresses and phone numbers. HHS was highly criticized for not being forthcoming about the breach and who might be at risk.
What information must a breach notification contain?
- The nature of the data breach, which includes:
The categories and approximate number of individuals concerned; and
The categories and approximate number of personal data records concerned;
- The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- A description of the likely consequences of the personal data breach; and
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
How do I notify the proper authorities of a breach?
A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.
If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
Failing to notify authorities of a breach when required to do so can result in a significant fine up to 10 million Euros or 2% of your global turnover for some data processing offenses. There are also fines of 20 million Euros or 4% of global turnover for non-compliance and data transfer offenses.
What should I do to prepare for breach reporting?
You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data.
You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.
In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place. This involves an extensive amount of research and education as well as plenty of “what-if” preparations. There is no such thing as being too careful when it comes to a breach under the new GDPR.