On January 18, 2021, the European Data Protection Board (EDPB), comprised of all national supervisory authorities (SAs) of the European Union, published draft guidelines for data breach notification1 (the Guidelines).
The Guidelines provide useful insight into how regulators apply the General Data Protection Regulation (GDPR) personal data breach notifications rules. Specifically, they describe six common types of personal data breaches (i.e., ransomware, data exfiltration attacks, internal human risk, lost or stolen device and paper documents, misposted data, and social engineering attacks), and offer 18 case studies. Through these case studies, the EDPB seeks to clarify organizations’ notification and remediation obligations.
The GDPR requires controllers to notify a personal data breach to the relevant SA, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. If the breach is likely to pose a high risk, controllers must notify the breach to the individuals concerned, with a few exceptions. The EDPB Guidelines aim to provide practical recommendations on how to assess the risks resulting from a breach.
See our previous blog post in which we discussed the focus of SAs on data breaches and their expectations regarding data security and data breach management practices.
The Guidelines reflect the shared experiences of SAs since the GDPR became applicable. We set out below the key takeaways.
- Notify SA without undue delay. The EDPB notes that in high-risk cases, notifying a data breach within the 72-hour longstop provided by the GDPR may be unsatisfactory; the key is to notify data breaches “without undue delay” and such high-risk cases may require earlier notification.
- Notify data subjects as a best practice for certain non-high-risk cases. Although not all data breaches trigger the obligation to notify individuals, the EDPB notes that notifying individuals is advisable or necessary for certain types of data breaches. For example, a former employee may have copied customer contact information gained during his employment and intends to solicit his own business to such contacts. In that case, the EDPB recommends proactively reaching out to the customers regarding the data leak rather than finding out about it from the former employee’s actions. Additionally, a data breach arising from bills sent to the wrong recipient requires contacting those wrong recipients, as their cooperation is necessary to mitigate the risk.
- Context is critical, even if the breach includes sensitive data. The EDPB notes that a breach involving sensitive data does not automatically result in an obligation to notify individuals. To determine whether they should notify individuals, organizations should assess the risks and impacts triggered by the breach (e.g., potential detrimental use or connotation of the data). According to the EDPB, a data breach involving a list of individuals’ food preferences may not require notifications to individuals if the risk of detrimental use is low, even if health data is involved.
- Risk assessments should not be dependent on forensic reports. Controllers should assess the risks resulting from a breach as soon as they become aware of the breach. The EDPB stresses that controllers should not first wait for a detailed forensic report.
- Preventative and mitigating measures. The Guidelines recommend, per type of breach, preventative and mitigating measures. For instance, the EDPB stresses the importance of up-to-date training and awareness programs, data access policies, and appropriate security measures (such as encryption and regular backups). According to the EDPB, organizations should implement a process that allocates responsibilities for handling breaches. Organizations should consider reviewing their data security procedures against these recommended measures.
Specific Guidance—Case Studies
The Guidelines include 18 case studies that illustrate what the EDPB considers appropriate risk assessment and resulting notification obligations for the six main categories of breach. We set out below the main takeaways per type of breach.
- Ransomware. When assessing the risk resulting from a ransomware attack, an organization should, in particular, consider whether it can quickly restore the data using backups. For example, during a ransomware attack on a hospital, patient data became unavailable for several days. The SA considered it “high risk,” which triggered the obligation to notify the SA and affected individuals. The EDPB emphasizes the importance of data encryption so that the data cannot be read by the attacker if it is exfiltrated.
- Data exfiltration attack. Elements to assess the risk resulting from a data exfiltration attack include whether the attackers could modify the data in the system, the organization could recover the data, and if there are negative impacts on individuals resulting from the data type or sources. The EDPB describes a data exfiltration attack on an employment agency, which resulted in a leak of personal data submitted through online job application forms. The breach had to be notified to the SA and affected individuals, as the data could be misused in many ways, including identity theft.
- Internal human risk source. The EDPB notes that intentional or unintentional breaches by staff are common, although the resulting risk may be low if the breach is unintentional and can be effectively remediated. However, a controller should not assume the risk is low if it does not have any reassurance that the breach will not result in abuse of the affected data (e.g., if an employee leaving to create his own business intentionally copies a company’s CRM data for his own uses). Employee access policies and controls can help protect against such breaches.
- Lost or stolen devices. According to the EDPB, a loss or theft of unencrypted data will typically need to be notified to the SA and affected individuals, particularly if it involves sensitive data. If the controller can wipe a lost or stolen device remotely, the risk will be lower, and notification may not be required. For mobile devices such as tablets and laptops, the EDPB recommends including functionalities that allow them to be located in case of loss or misplacement. The EDPB also recommends the use of encryption and mobile device management apps. Controllers should also implement proper regulation of device usage inside and outside the company. The EDPB further recommends that companies should not store personal information on mobile devices but rather on a back-end server.
- Misposting. Sending personal information to the wrong recipient is another common type of data breach. The EDPB states that organizations may need to notify such breaches to SAs and individuals. However, if only a few individuals are affected, and minimal non-sensitive data is inadvertently disclosed, it will typically be sufficient to request the recipients to delete/destroy the information they received. The EDPB recommends preventative measures such as proper data protection training of staff, implementing message delays, and disabling the use of autocomplete when typing in email addresses.
- Social engineering. Social engineering attacks involve malicious actors obtaining fraudulent access to personal data through identity theft or impersonation. Organizations can protect against social engineering attacks by taking measures such as implementing robust customer authentication methods that are not based on static, non-secret information such as a postal address. A sound incident detection system can help to detect an attack and limit the breach quickly.
Conclusion and Next Steps
The Guidelines provide general guidance and concrete recommendations in the form of 18 case studies. They are a welcome addition to the more theoretical data breach guidelines issued in 2018 by the EDPB’s predecessor, the Article 29 Working Party. Organizations should consider reviewing the Guidelines to assess their exposure to the types of data breaches listed and compare their preventative measures with those proposed by the EDPB. The Guidelines are open for public consultation until March 2, 2021. Organizations can submit feedback here.
Compliments of Wilson Sonsini – a member of the EACCNY.