As the dark, creeping realisation dawns that a personal data breach may have occurred, staff who think something has gone wrong are faced with an urgent and important decision – should they tell a colleague/manager/data protection officer what they have discovered? Assuming they’ve received relevant training and are aware of the organisation’s data breach incident process they should immediately tell the nominated people, in line with the organisation’s data policies.
The organisation then needs to act swiftly to ascertain the facts and confirm whether a personal data breach has actually occurred or not. Once this is established and the organisation is ‘aware’ of a personal data breach, the clock starts to tick and it only has 72-hours in which to notify their Supervisory Authority (e.g. the UK’s Information Commissioner’s Office), unless it determines that the breach is unlikely to represent a risk to the rights and freedoms of individuals. Being prepared and having a plan will prove invaluable – Personal Data Breaches: Prevention and Plan
What is a personal data breach?
The GDPR defines a personal data breach as, ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’ (Article 4.12)
The ICO Guidance on Personal Data Breaches provides the following examples of personal data breaches:
- Access by an unauthorised third party
- Deliberate or accidental action (or inaction) by a controller or processor
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permission
- Loss of availability of personal data
Broadly speaking whenever personal data is lost, destroyed, corrupted or disclosed this will be a personal data breach.
Is the personal data breach notifiable to a Supervisory Authority?
Not every personal data breach needs to be reported to the ICO (or to another Supervisory Authority). If after assessing the incident, the view is that a risk to people’s rights and freedoms is unlikely, then it doesn’t need to be notified. If the breach does present a risk, then it should be notified.
There is no one size fits all answer to the risk assessment question. Each breach will need to be considered on a case by case basis, taking into account all the relevant factors. The consequences of a data breach may include emotional distress and/or physical and material damage. Some may only cause inconvenience for the data subject, while others could have a significant detrimental effect on the individual(s) whose personal data has been compromised.
Assessing the severity of the risk
It’s useful to reference the European guidelines – the Article 29 Working Party Guidelines on Notification of a Personal Data Breach (WP29). In particular, Section IV provides helpful pointers on how to assess ‘risk’ and ‘high risk’.
In essence, a risk exists when a breach may lead to physical, material or non-material damage for those whose personal data has been breached. Examples of such damage are:
- identity theft or fraud
- financial loss
- reputational damage
When it comes to a breach of special category data, the decision to notify or not is more clear cut. The WP29 determines that:
When the breach involves personal data that reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions, such damage should be considered likely to occur.
The Guidelines say any evaluation of the risk to the individual’s rights and freedoms must be objective and take into account both the likelihood and severity. It’s recommended the following is taken into account:
- The type of breach – A breach in which medical records are disclosed to an unauthorised party would have different consequences to where medical records may have been lost and are no longer available.
- The nature, sensitivity, and volume of personal data – Normally the rule of thumb is that the more sensitive the data that has been breached the higher the risk of harm. A combination of personal data will normally represent more of a risk than a single piece of personal data. Even if the disclosure of a name and address may seem fairly unlikely to pose a risk, it can very much depend on the context. Individuals may have reasons for wishing this to be kept secure, for example not wishing an estranged partner to know this. A small amount of highly sensitive data may have more severe consequences than a large volume of non-sensitive data.
- Ease of identification – How easy would it be from the data breached for someone who has access to the compromised data to identify specific individuals? This may be judged to be extremely difficult or could be more straight-forward to do.
- Severity of consequences – A breach of special category data could result in damage that is severe. Organisations need to assess whether the personal data breached could result in identity theft, physical harm, psychological distress, humiliation and so on. Where personal data is in the hands of people whose intentions are unknown or potentially malicious, this is likely to represent a greater risk than where an organisation has sent personal data accidentally to another known recipient. In such circumstances a trusted recipient who returns or securely destroys the data, could mitigate the risk. This doesn’t mean a breach hasn’t occurred, but may reduce or remove the likelihood of a risk to individuals.
- Special characteristics of the individual – Particular consideration should be given where a breach may impact on children or other vulnerable individuals.
- Special characteristics of the data controller – The WP29 guidelines provide an example here of the difference between a medical organisation processing special category data as opposed to a mailing list of a newspaper.
- The number of affected individuals – In general, the more people affected by the breach, the bigger the impact a breach could have. However, a breach affecting a small number of individuals could have a severe impact on those affected, and a larger breach could have a less severe impact but on more people.
An organisation needs to consider a combination of the severity of the potential impact and the likelihood of these impacts occurring. Annex B of the WP29 guidelines provides some useful examples of types of breaches and whether notification would be required or not.
You should ensure you have appropriate methodology in place for evaluating the risk and document your considerations in every case, as evidence of your assessment and justification for your decision to notify or not.
It’s clear GDPR has led to an over-cautious approach and a degree of over-reporting. This was revealed by the ICO in its report – GDPR – one year on. Almost 82% of all breaches reported in the year to May 2019 required no further action to be taken by the organisation. This seems to indicate two things;
- the assessment of risk to the individuals’ rights and freedoms presents a judgement challenge for many organisations
- the organisations may have run out of time in their investigations. Consequently, erred on the side of caution by notifying the ICO that a suspected data breach has occurred and investigations were underway.
How much time do we have to report a breach?
The GDPR states that an organisation must report a notifiable breach to a Supervisory Authority (e.g. the ICO) without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
Section II of the WP29 Guidelines gives more details of when a controller can be considered to have become aware of a personal data breach. It states;
WP29 considers that a controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. This will depend on the circumstances of the specific breach. In some cases, it will be relatively clear from the outset that there has been a breach, whereas in others, it may take some time to establish if personal data have been compromised. However, the emphasis should be on prompt action to investigate an incident to determine whether personal data have indeed been breached, and if so, to take remedial action and notify if required.
The challenge many organisations have are often akin to completing a 5,000-piece jigsaw puzzle; collating snippets of information that may be initially disjointed and from different sources isn’t easy. Trying to piece together a timeline of what happened when takes up a considerable amount of time and resource and quickly eats into the 72-hour window.
The practical efforts to bring the timeline of the incident together may delay the escalation to the DPO and make the potential notification window even narrower.
The best prepared organisations appoint individuals as members of a data breach incident team and name these people in their Personal Data Breach Incident Plan. This facilitates rapid mobilisation of the response team made up of individuals from around the business who know, in advance, what their responsibilities are if and when a personal data breach occurs. This gives the organisation the best chance of building the timeline and, when appropriate, notifying the supervisory authority within the deadline.
How to notify a breach
Once you have decided a personal data breach is notifiable, you have 72 hours to notify the ICO (or relevant Supervisory Authority). For the ICO, you can contact them by phone on their helpline number 0303 123 1113 or download and complete the data breach notification form which you then email to firstname.lastname@example.org with “Personal Data Breach Notification” in the subject line. Alternatively, you can post a copy of the form to the ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF but remember that the time for postage will need to come out of the 72 hours.
When completing the form you need to include details of what went wrong and why, when it happened, when you discovered it (date and time), how you discovered it. Precise details of the type of personal data breached, how many records are affected and how many data subjects are affected are also required. You should specify the categories of individuals affected, for example, customers, employees, patients. You also need to include your assessment of the potential impact on and consequences for the individual data subjects and what mitigating actions you have taken already and plan to take.
The ICO need to know whether you have advised or plan to advise the data subjects that their data has been compromised and also whether you plan to or have advised other organisations about the breach, such as the police or other regulatory bodies. (There is an option on the form to indicate if you have yet to make a decision on this).
One of the questions the ICO ask is whether the members of staff involved in the incident have been trained on data protection within the last two years, so it’s really important to keep your training up to date and maintain thorough records of which members of staff received their training and when.
Controllers must prioritise the investigation, give it adequate resources, and expedite it urgently. The ICO are happy for you to complete and send an initial report before your investigations are fully completed which often happens when an organisation comes up against the 72 hour deadline. This phased reporting is allowed for under Article 33(4) as long as this is done without undue further delay. The ICO says; “You may also want to report a breach online if you are still investigating and will be able to provide more information at a later date.”
You must include the name and contact details of you Data Protection Officer (if your organisation has one) or other contact point where more information can be obtained if the ICO need to get in touch.
Upon receipt of the form, the ICO will send an email in acknowledgement and may assign a case number, although this is not always assigned immediately. It’s important when sending on a follow-up report that you reply to the email they send you and keep the subject of the email consistent so that the ICO can tie in with the initial report.
Informing affected individuals
It may also be necessary to notify any individuals affected, ‘without undue delay’ if the breach is considered likely to result in a high risk of adversely affecting their rights and freedoms.
If you have deemed the risk to be “high” you must tell the individuals affected about the breach without delay. When informing them you should tell them about any steps you are taking to mitigate the effects of the breach and provide them with advice on what to do to protect themselves. This must be provided in clear easy to understand language. It can save valuable time if you have already considered this in advance, have pre-prepared communications which can be adapted to the circumstances of the specific breach. Including a communications plan as part of your incident plan is advisable.
However, even though you may have decided that the incident is notifiable, you may assess that there is not a high risk to individuals’ rights and freedoms. An example could be that the personal data is already in the public domain or, in isolation, may not be likely to present a high risk to their rights and freedoms. In such a scenario there may not be a requirement to inform the individuals themselves. Again, your thinking would need to be fully documented as to how you arrived at that decision.
Some reflections on data breach experiences……
The maelstrom of a personal data breach can be a scary and lonely scenario. Below are some quotes from business leaders, academics and employees which may resonate!
“There was this absolutely horrible moment where I realized there was absolutely nothing at all that I could do.”
– Amy Pascal, Former CEO of Sony Pictures
“One of the tests of leadership is the ability to recognize a problem before it becomes an emergency.” – Arnold H. Glasow, Author & Businessman
“Once we escalate to management, there will be no day, no night.” – Mr Ernest Tan Choon Kiat, during the biggest breach in Singapore’s history in Aug 2018
“Teams that say their cyber-security is really good are the ones to worry about. After our breach, the most difficult issue was deciding when it was safe enough to come back online. I learned that really smart engineers can talk English, under extreme pressure.” – Dame Dido Harding, former CEO of TalkTalk, presenting on 4th June 2018
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” – Stéphane Nappo, Global Chief Information Security Officer, Société Générale International Banking
And finally, at what cost….?
Whilst the focus in a post GDPR world may be on the eye watering potential fines, they represent just one cost in a long list that an organisation may incur, both financial and non-financial, following a personal data breach.
Initially there will be the cost of setting up breach response efforts, investigating the incident and taking steps to avoid a similar scenario. All extremely important but resource hungry activities. Then there could be the cost of compensating the individuals affected and with the advent of class actions in this area, this could be extremely costly for the organisation.
Reputational damage leading to loss of customer trust and potentially loss of existing and future customers could result in reduced market share and this is likely to be the largest and most enduring price an organisation pays, compounded by a falling share price where the company is publicly listed.
In terms of scale, in its 2019 Cost of a Data Breach Study, the Ponemon Institute estimated the cost for a data breach could be anywhere between $1.25 million and 8.19 million depending on country and industry.
With all this in mind, the importance of an organisation taking a layered and multi-faceted approach to data breach “defence” cannot be underestimated. Some may be technical security measures but the importance of the organisational measures (such as regular staff training and awareness) and developing your data breach handling procedures are equally important and should not be overlooked.
Whist it would be impossible for an organisation to fully mitigate all of the areas of risk, building sound data governance and security practices into its culture will certainly help to strengthen its defences. Any organisation processing individuals’ personal data needs to equip its people with the appropriate level of awareness and understanding so they are fully prepared to take swift action if the worst does happen.
Debbie McElhill, October 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.