In certain cases, the General Data Protection Regulation (GDPR) requires entities that experience a personal data breach to provide notice of the incident to relevant national supervisory authorities and the individuals whose personal data was compromised. The European Data Protection Board (EDPB) — a board of representative members from each of the European national supervisory authorities — previously endorsed the February 2018 guidelines on personal data breach notification. On Jan. 19, 2021, the EDPB published draft Guidelines 01/2021 on Examples regarding Data Breach Notification (the “draft Guidelines”) to complement the initial notification guidelines. The draft Guidelines provide 18 sample data breach scenarios and offer guidance as to how data controllers should respond to such incidents and analyze potential notification obligations.
The draft Guidelines begin by reiterating core notification principles from the 2018 guidelines. Article 4(12) of the GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Three types of personal data breaches trigger a notification obligation: (a) “confidentiality breaches,” which occur when there is an unauthorized or accidental disclosure of, or access to, personal data; (b) “integrity breaches,” which involve the unauthorized or accidental alteration of personal data; and (c) “availability breaches,” which involve the unauthorized or accidental loss of access to, or destruction of, personal data. Notice is required to be given to appropriate supervisory authorities within 72 hours after controllers become aware of a personal data breach, unless the breach is unlikely to create a risk to a data subject’s rights and freedoms. The draft Guidelines state controllers should make this risk assessment when they become aware of the breach and should not wait for a detailed forensic examination before assessing the breach’s impact.
The EDPB draft Guidelines use 18 distinct sample fact patterns to contextualize its guidance about how data controllers should “handle data breaches and what factors [they should] consider during risk assessment.” The example scenarios address (1) ransomware attacks, (2) data exfiltration, (3) employee errors and former employee misconduct, (4) lost or stolen devices and paper documents, (5) inadvertent disclosures, and (6) social engineering, such as identity theft and email exfiltration. After describing each scenario, the EDPB considers several factors, including:
- The impact and severity of the adverse effects of the breach (this assessment should be made when the organization becomes aware of the breach, and organizations should not delay the notification by waiting for a detailed forensic examination and mitigation steps).
- The underlying vulnerability, the method of infiltration (when applicable) and whether malicious code is present, in order to understand the consequences.
- Whether the affected information was protected at rest.
- Whether there is a potential to mitigate the harm, and whether a mitigation plan is in place.
While these factors are important considerations, all breaches must be analyzed on a case-by-case basis. “Regardless of the outcome and the consequences of the attack, the importance of an all-encompassing evaluation of the data security system – with particular emphasis on IT security – cannot be stressed enough.” The draft Guidelines emphasize that controllers handling sensitive data, including financial information, have a greater responsibility to provide adequate data security, such as having a security operations center and incident prevention measures in place, and maintaining detection and response procedures. Not meeting these higher standards “will certainly result in more serious measures during an SA’s [supervisory authority] investigation.”
To underscore the importance of an incident analysis, the EDPB draft Guidelines reiterate the need in all scenarios to assess the risks of a breach. For example, when assessing the risks of a ransomware scenario, the controller should investigate the method of infiltration and identify the type of malicious code in order to understand the possible consequences of the attack. Where data was exfiltrated, the nature, sensitivity and volume of personal data affected in the breach should be assessed to determine how the breach affected the data subjects. Further, the controller should consider whether the impacted data was encrypted at rest or otherwise could not be read or used by the perpetrator. In instances when the decryption key was not compromised or the data remains unusable, the confidentiality risks to the rights and freedoms of natural persons are reduced to a minimum. Additionally, the EDPB draft Guidelines highlight the importance of documenting breaches in all instances, regardless of whether they trigger notification obligations.
The draft Guidelines confirm that where only minor consequences can be identified and the potential risks to the rights and freedoms of data subjects are minimal or easily mitigated, notice is not required. The draft Guidelines also reinforce the principle that certain breaches will require notice to the supervisory authority (where there is some risk to the rights and freedoms of data subjects) but not to data subjects (because there is not a high risk).
The draft Guidelines are open for public consultation until March 2, 2021. Replies will then be provided on the EDPB website. The draft Guidelines are available at https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2021/guidelines-012021-examples-regarding-data-breach_en