September 12, 2018
While it is unclear whether there are, in fact, more personal data breaches occurring, the notification of breaches has certainly seen a notable increase post-GDPR. Both individuals and regulators are therefore becoming increasingly aware of the magnitude of the risk to individuals’ privacy. Cyber attacks like the Yahoo data breach in 2013 illustrate the negative impacts that a data breach can have on individuals and the organization experiencing the attack.
In recognition of this risk, the new European privacy regulation, the General Data Protection Regulation 2016/679 (GDPR), imposes obligations on organizations processing personal data originating in the European Economic Area to address and report personal data breaches in an appropriate and timely manner. In particular, the GDPR requires controllers who suspect or discover a personal data breach to report this to the privacy regulator when there is a risk to the rights and freedoms of natural persons whose personal data has been breached. If a personal data breach poses a high risk to individuals’ rights and freedoms, there is an additional obligation to notify affected individuals themselves.
While the determination of whether or not to report to the regulator involves a careful weighing of factors related to the circumstances of the breach, the message from the UK’s privacy regulator, the Information Commissioner’s Office (ICO) is clear: organizations need not overreport breaches.
At the same time, failure to report a breach that should have been reported can lead to administrative fines of up to €10 million ($11.6 million) or up to 2% of the total worldwide annual turnover of the breaching entity (Article 83(4)(a), GDPR). Therefore, the line between overreporting and failure to report is a thin one that organizations should carefully analyze.
What is a “Personal Data Breach”?
The GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed” (Article 4(12), GDPR). Therefore, according to the Article 29 Working Party (WP 29) Guidelines a personal data breach is a type of security breach, either accidental or intentionally malicious, that impacts personal data.
The “CIA Triad”
In defining the various types of personal data breaches, both the WP and the ICO have referred to the “CIA triad,” which consists of three well-known information security principles followed by the U.S. Central Intelligence Agency (CIA): confidentiality, integrity, and availability. Thus, there are three main types of personal data breaches identified:
- Confidentiality breaches: where there is an unauthorized or accidental disclosure of, or access to, personal data.
- Integrity breaches: where there is an unauthorized or accidental alteration of personal data.
- Availability breaches: where there is an accidental or unauthorized loss of access to, or destruction of, personal data.
Thinking of a breach of personal data as a compromise of any one of the CIA triad principles, the ICO has noted, helps organizations identify if they have experienced a breach within the meaning of the GDPR. This also helps them assess the likely impact on the individuals affected and, in turn, determine whether reporting to the regulator is advisable or not under their circumstances. However, not every breach will fall neatly into one of these categories, and a breach in practice may present any combination of two or more principles of the CIA triad.
Example of a Personal Data Breach
Our client, a household brand in the consumer goods and retail sector, instructed a major international law firm to investigate fraud and a potentially serious data breach in the UK. Our team was instructed by the law firm to perform a rapidly moving, multidisciplinary forensic investigation to support a legal review. We deployed forensic specialists, security architects, e-discovery, data analysis, and open source intelligence gathering experts to support the investigation. Our work supported a multipronged legal strategy that included several internal disciplinary actions, reporting to the ICO, and further development and pursuit of civil and criminal litigation options. We provided real-time board-level decision support at appropriate levels (chief executive officer, chief information officer, chief information security officer, and HR) for internal investigations.
GDPR Notification Requirement
The GDPR provides that “in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority…unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.
This raises the question: “When does the controller become ‘aware’ of a personal data breach?” WP 29 considers that the controller becomes “aware” when he has a reasonable degree of certainty personal data has been compromised. The important point highlighted by the ICO is not that organizations experiencing a breach need to have a comprehensive picture of the breach at this initial stage, but that they are reasonably confident that a breach has occurred.
Risk as a Trigger for Notification
Notification to the privacy regulator is only triggered where there is a “risk” to the rights and freedoms of the individuals concerned. Similarly, notification to the individuals themselves is only triggered where there is a “high risk” to their rights and freedoms. This means that organizations impacted by a breach must carry out a risk assessment exercise and analyse the potential consequences of the breach on the individuals whose personal data has been infiltrated.
In assessing risk, it is important to note not only the actual consequences, but also the potential negative consequences of a breach on individuals. Adverse effects can include emotional distress, physical or material damage, loss of control over own data, limitation of rights, discrimination, and identity theft or fraud. Factors to consider when assessing risk have been considered by the WP 29 and the ICO. They include:
- The type of breach
- The nature, sensitivity, and volume of personal data
- Ease of identification of individuals from the data
- Severity of consequences for individuals
- Special characteristics of the individual, i.e., vulnerable individuals, such as children
- The number of affected individuals
- Special characteristics of the data controller
Documenting and Reporting Breaches
According to the GDPR, organizations affected by a breach of personal data must report breaches that involve a risk to individuals within 72 hours of becoming aware of it. The ICO notes these are real hours, including evenings, weekends, and bank holidays. If notification is not made within the 72-hour window, the notification must be accompanied by reasons for the delay. As of now, with respect to the timing of the notification, the ICO has noted that the clock does not start running when the processor becomes aware of the breach, but when the controller becomes aware.
When required to report, organizations should notify the privacy regulator and provide the following information:
- A description of what has happened
- The categories of people involved
- The volume of people involved
- The types of records involved
- The volume of records involved
- The likely consequences of the breach
- Mitigation measures taken or proposed
- Either the name of the Data Protection Officer (DPO) or another point of contact
The GDPR does recognize that it is not always possible to fully investigate a data breach within 72 hours and, for this reason, it allows impacted organizations to provide information in phases. A pre-emptive step that organizations can take to facilitate their breach response and notification process is to maintain a thorough data inventory. This not only helps entities comply with Article 30 of the GDPR, the records of processing activities, but also facilitates the investigation of any personal data breach.
The GDPR requires organizations to notify individuals of a personal data breach if there is a high risk to their rights and freedoms. As the ICO reinforces, the threshold for notifying individuals is higher than the threshold for telling the ICO. While “high risk” is not defined in the GDPR, the guidelines state that organizations should consider a combination of the severity and potential impact on the rights and freedoms of individuals, and the likelihood of these occurring. The ICO has mentioned that the regulator can assist organizations in deciding whether or not it is recommended to notify individuals in their specific circumstances.
Regardless of whether or not a breach target needs to be notified, the controller must keep documentation of all breaches. It is up to the controller, WP 29 notes, to determine the method and structure to be used when documenting a breach. However, WP 29 does recommend that the controller also document its reasoning for the decisions taken in response to a breach. Moreover, documentation relating to the reasons for delaying a notification could help demonstrate that the delay in reporting is justified and not excessive. It is also considered best practice for an organization to maintain proof of any communications with affected individuals. Rather than waiting for a security incident, a controller should also have a documented notification procedure in place, such as an Incident Response Plan, setting out the process to follow once a breach has been detected.
Reporting Trends in the UK
The UK has seen a significant increase in the number of self-reported breaches across Q2 2018, starting with approximately 400 reports in March and April, rising to 650 reports in May, and spiking to 1,792 reports in June, right after the GDPR go-live date of May 25. Health and education, solicitors, and local government led the way in reported breaches, as they did under the old Data Protection Act.
Trends in Other Jurisdictions
The national data protection law currently applicable in Spain is the Data Protection Law 15/1999. The GDPR Implementation Act has not been enacted yet in Spain, although a Data Protection Draft Bill was published on the Nov. 24, 2017. The Spanish privacy regulator, Agencia Espanola de Proteccion de Datos (AEPD), has published guidelines around managing security breaches. The AEPD guidance includes an approved communication model for notification of breaches and has highlighted examples of cases where notification would not be required, for example, if the data was already publicly available and its disclosure did not involve any risk to the owner of the data.
The Romanian Law implementing the GDPR (Law 190/2018) was published in the Official Monitor on July 27, 2018. The Romanian privacy regulator, Autoritatea Nationala de Supraveghere a Datelor cu Caracter Personal, the ANSPDCP, has not yet issued national guidelines concerning a controller’s obligation to report breaches of personal data that pose a risk to individuals’ rights and freedoms, but has approved a Personal Data Breach Notification Form.
The U.S. currently has a multitude of federal and state privacy laws. Beyond the specific privacy laws, the Federal Trade Commission (FTC) has issued a Data Breach Response Guide for Businesses, which includes a Model Breach Notification Letter. It should be noted that most states in the U.S., the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply to specific situations. In addition to checking state and federal laws or regulations, an organization should also check if a particular type of breach is covered by the FTC’s Health Breach Notification Rule and the Health Insurance Portability and Accountability Act Breach Notification Rule.
NIS Notification Requirement
Major cyber attacks over the past three years, starting with the 2015 Ukraine energy attack, the 2016 cyber attack on a water treatment plant, and the 2017 ransomware attack on the UK National Health System, also sparked regulatory interest in infrastructure security outside the data protections in GDPR. The EU Network and Information Systems (NIS) Directive 2016/1148 was adopted by the European Parliament on July 6, 2016, and entered into force in August 2016. EU member states had to add the directive to their national laws by May 9, 2018, and identify operators of essential services (OES) by Nov. 9, 2018. Companies identified as OESs or Competent Authorities are the primary subjects to which the NIS Directive applies. The UK’s version of the directive takes the form of the NIS Regulations 2018.
The Cyber Assessment Framework established by the NIS Directive incorporates indicators of best practices and, therefore, operators need not build a cybersecurity framework, as the Directive does this for them. With respect to security incidents, both the NIS Directive and the NIS Regulations require operators who experience incidents that threaten their essential services to notify those affected. Finally, although penalties are left for member states to define, the Directive does mention that the penalties should be effective, proportionate, and dissuasive.
Please note that the present work is informed by authoritative sources such as the UK ICO Webinar on Data Breach Notification 2018 and the WP’s Guidelines on Personal Data Breach Notification referenced herein. For further information regarding national data privacy laws, please see the FRA Handbook on European Data Protection Law 2018and Baker McKenzie’s Global Privacy Handbook 2018. For additional information on the Network and Information Systems Directive, please see the National Cyber Security Centre website.
 “Guidelines on Personal data breach notification under Regulation 2016/679,” Article 29 Data Protection Working Party, October 3, 2017, http://ec.europa.eu/newsroom/document.cfm?doc_id=47741.
 “General Data Protection Regulation” (GDPR), Article 33(1), May 25, 2018, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
 “General Data Protection Regulation” (GDPR), Article 33(1), May 25, 2018, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
“Guidelines on Personal data breach notification under Regulation 2016/679,” Article 29 Data Protection Working Party, October 3, 2017,
 “Legal Project 121/000013 Organic Law of Personal Data Protection”, Spanish Government, http://www.congreso.es/public_oficiales/L12/CONG/BOCG/A/BOCG-12-A-13-1.PDF
 “Security Breaches Guide”, AEPD, https://www.aepd.es/media/guias/guia-brechas-seguridad.pdf (Spanish version)
 “Security Breaches Guide”, AEPD, see Annex II for the Spanish Breach Notification Form: https://www.aepd.es/media/guias/guia-brechas-seguridad.pdf (Spanish version)
 Romanian online resource where all acts of parliament are published
 “Decision 128 of June 22nd 2018 regarding the approval of the Security Breach Notification Form in accordance with EU Regulation 2016/679 (GDPR)”, http://www.dataprotection.ro/servlet/ViewDocument?id=1516 (Romanian version)
 “Data Breach Response: A Guide for Business”, Federal Trade Commission, https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf
 “Network and Information Systems Directive 2016/1148”, Article 14, European Parliament, July 6th, 2016, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN
 UK Information Commissioner’s Office (ICO)’s Data Breach Reporting Webinar, https://ico.cloud.panopto.eu/Panopto/Pages/Viewer.aspx?id=778fb8a9-4095-4db5-aacb-a914009d53af.
 Article 29 Data Protection Working Party, “Guidelines on Personal Data Breach Notification under Regulation 2016/679,” http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052.
 “Handbook on European Data Protection Law”, 2018 edition, European Union Agency for Fundamental Rights (FRA), May 2018, http://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law
 “Global Privacy Handbook”, 2018 Edition, Baker McKenzie, https://tmt.bakermckenzie.com/-/media/minisites/tmt/files/global_privacy_handbook-_2018.pdf?la=en.
 “Introduction to the NIS Directive,” National Cyber Security Centre, April 30, 2018, https://www.ncsc.gov.uk/guidance/introduction-nis-directive#1.