In the first month since the GDPR became enforceable, data breach self-reporting is up 500%
Even before the European Union’s General Data Protection Regulation (GDPR) became enforceable on May 25th, the words “personal data breach” were enough to send shivers down to the spines of CIOs and CISOs the world over. While the public seems to be growing numb to the torrent of data breach news and notifications that have been coming their way (5,027 breaches compromising over 7.8 billion records in 2017), security professionals – especially corporate ones – are more sensitive than ever to the dangers of a personal data breach.
And now with the GDPR enforceable, in addition to the potential loss of business and damage to reputation that could occur, there is also potential for steep fines, potentially up to €20,000,000 or 4% of total international revenue.
That in turn has led to a major spike in self-reporting in the first month of GDPR enforcement, with 1,792 breaches self-reported to the UK Information Comissioner’s Office (the UK’s Data Protection Authority) in June of 2018. That’s compared to just 367 breaches reported in April, the last full month before the GDPR went into effect.
However, in a recent webinar, the ICO’s head of Data Breach Reporting, Laura Middleton, cautioned that: “not every personal data breach needs to be reported. So controllers should assess the likelihood and severity of risk to individuals before making that decision to report.”
So that’s what we’re going to cover today: under the GDPR, what constitutes a personal data breach and when should you report one?
Let’s hash it out.
Under the GDPR, what is a Data Breach?
In many ways, the term “Data Breach” is probably not a broad enough descriptor. Just like with many American laws, the legal definition and the popular definition differ. For the sake of the GDPR, Personal Data Breach covers a range of data incidents, everything from accidental disclosure to deletion to an actual breach of security where information is stolen. Here’s the official GDPR definition in Article 4(12):
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Let’s break that down a little bit. A breach of security in this sense doesn’t have to be an attacker fighting through your defenses. A breach of security can occur as a result of something as simple as an employee’s mistake or a database error. The more important portion of this definition is the back half, which is fairly broad. And that’s likely led to some over-reporting, where incidents that didn’t rise to the level of needing to be reported were still documented with the ICO out of a sense of caution.
But for the sake of clarity, let’s define a GDPR personal data breach in our own laymen’s terms.
A personal data breach occurs anytime, whether by accident or an act of malice by an attacker, a customer’s data is inadvertently destroyed, lost, altered or disclosed to the wrong party.
Now, let’s talk about what your responsibilities are for reporting a data breach under the GDPR.
You have 72 hours to report a personal data breach after it’s discovered
This is the biggest thing that you need to be aware of as you investigate any data incident and make a determination on reporting: you have 72 hours from the time you discover the issue. Now, with a true breach the average time it takes a company to detect it usually around 190 days. Some of the other data incidents that roll up under the GDPR’s “Personal Data Breach” definition may take considerably less time to diagnose. Regardless of how long it takes for the problem to present itself, once it’s been discovered you need to document that down to the minute and from there you have three days to decide what you need to do.
Here’s how the GDPR lays out your responsibility in Article 33(1):
1In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
As you can see from the definition, your company or organization is faced with a decision regarding the severity of the incident. And much like with determining your “legitimate interests,” the GDPR is essentially asking you to perform an analysis that weighs the risk to the rights of the data subject.
To figure that out you’re going to need to answer some questions, and it would be a good idea to document these as part of your investigation.
- What Happened? What kind of incident was this, did you leave an AWS bucket with all of your users financial data protected or did you just send the wrong customer the wrong email?
- How many people were affected? Is this a large-scale breach or is it limited to just a handful of people. Most literature around GDPR puts the cut off for “large-scale” at 500 data subjects.
- What personal data was compromised? Is this just a customer’s name and email address? Or is it more sensitive data like financial information or special categories of personal data?
- What is the risk to the affected data subjects? Worst case scenario, what could be done with this information to harm the data subject either financially, materially or reputationally?
- What caused this situation? Was it an attacker exploiting your security? Was this a technical mistake? Human error?
- How easily can this issue be remediated? Will this take months to fix or is this just a simple tweak? When will you be able to accomplish this?
If you can answer those questions, you should be able to weigh what risks this personal data breach could pose to those affected and whether or not this incident rises to the level of reporting.
When is Reporting a Personal Data Breach not necessary?
That’s a decision that is entirely yours, one that should be made after considering all of the possible information regarding cause, size and scope. It would be irresponsible to make categorical suggestions here. But it should be pretty obvious once you investigate. Some of it also comes down to how cautious you want to be given the sizable penalties associated with messing this up.
It all comes down to the risk posed to the data subject(s). If the breach is small, limited to a single data subject, and doesn’t include passwords or financial data, you may be fine just documenting the situation and not reporting it. Or you might want to just play it safe and report it to your Data Protection Authority, anway.
Regardless, you need to be documenting everything. And if you decide not to report an incident, make sure you document why you chose not to, including an exaplanation of why you don’t feel this poses a significant risk to the data subject.
What information should be included in a breach notification?
Your breach notification is going to need to include all of the following information:
- A description of the personal data breach, including the categories and number of data subjects involved, as well as the types and quantity of records compromised.
- A name and contact information for either your registered Data Protection Officer or the individual heading up the investigation, someone who can be contacted for information.
- A description of the possible (and most likely) consequences of the compromise.
- A description of your investigation and any measures you have taken or will be taking to remediate the issue.
If you don’t have all of the information within the first 72 hours (when you are required to report), it can be provided in phases, as it becomes available, provided this is done in haste.
Remember, transparency is important. If your supervisory authority doesn’t think you’re acting in good faith you will be penalized. So don’t try to be sneaky or hide anything. Most Data Protection Authorities, at least at this point – early on in the GDPR enforcement period – have shown a willingness to work with companies and not be overly punitive. They’re not trying to be adversarial, they’re just trying to make sure that peoples’ rights are respected.
Who is my Data Protection Authority?
Your relevant Data Protection Authority varies by country and region. This is probably something you should have already figured out, but in the event you need a refresher, here’s a list of Data Protection Authority by country:
For the United States, your Data Protection Authority is either the Department of Transportation of the Federal Trade Commission. You can check out the rest of the DPAs below:
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Telephone: (202) 326-2222
Department of Transportation
1200 New Jersey Ave, SE
Washington, DC 20590
Telephone: (202) 366-4000
Commission de la protection de la vie privée
Commissie voor de bescherming van de persoonlijke levenssfeer
Rue de la Presse 35 / Drukpersstraat 35
1000 Bruxelles / 1000 Brussel
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
Commission for Personal Data Protection
Croatian Personal Data Protection Agency
Commissioner for Personal Data Protection
The Office for Personal Data Protection
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Office of the Data Protection Ombudsman
Commission Nationale de l’Informatique et des Libertés – CNIL
8 rue Vivienne, CS 30223
F-75002 Paris, Cedex 02
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
Germany splits complaints between different agencies:
Hellenic Data Protection Authority
National Authority for Data Protection and Freedom of Information
Data Protection Commissioner
Garante per la protezione dei dati personali
Data State Inspectorate
State Data Protection
Commission Nationale pour la Protection des Données
Office of the Data Protection Commissioner
The Bureau of the Inspector General for the Protection of Personal Data – GIODO
Comissão Nacional de Protecção de Dados – CNPD
R. de São. Bento, 148-3°
Tel. +351 21 392 84 00
Fax +351 21 397 68 32
The National Supervisory Authority for Personal Data Processing
Office for Personal Data Protection of the Slovak Republic
Agencia de Protección de Datos
The Information Commissioner’s Office
EUROPEAN FREE TRADE AREA (EFTA)
Icelandic Data Protection Agency
Tel. +354 510 9600; Fax +354 510 9606
Data Protection Office
Kirchstrasse 8, P.O. Box 684
Principality of Liechtenstein
Tel. +423 236 6090
The Data Inspectorate
P.O. Box 8177 Dep
Tel. +47 22 39 69 00; Fax +47 22 42 23 50
Data Protection and Information Commissioner of Switzerland
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter
Mr Adrian Lobsiger
Tel. +41 58 462 43 95; Fax +41 58 462 99 96
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach