At the EU level, one may easily identify several general and sector-specific laws which lay down the key principles of data security and impose requirements for businesses engaged in data-driven or data-related business activities. One of such generic pieces of EU-wide legislation is the GDPR, which introduces a universal personal data protection framework within the EU.
Notably, the very concept of what constitutes a personal data breach is rather broad and alien for many businesses. The GDPR introduces a somewhat technical definition of a “personal data breach”, by naming three key attributes of accidental or unlawful security compromise: (a) destruction, loss, alteration of; or (b) unauthorised disclosure of, or (c) access to, personal data. This definition implies that the security breach is qualified as a “personal data breach” if it damages or impairs either confidentiality, availability, or integrity of personal data. Thus, loss of a USB stick, unintended sending of mail to wrong recipients, accidental deletion of files are all potentially qualified as a “personal data breach”, even if they do not have any systematic nature or are not related or inherent to cyber risks of the information system as such.
Importantly, a cybersecurity incident is a much broader category. Usually, a cyber incident is understood as a breach of the information system security policy to affect its integrity or availability and/or the unauthorised access or attempted access to the information system in question. Thus, not every cyber incident is a “personal data breach” and, vice versa, not every “personal data breach” is related to an information system related incident, as specified in the examples above. Nevertheless, as the practice demonstrates, in most cases cyber incidents lead to “personal data breaches” in terms of the GDPR.
Among other things, the GDPR imposes a general obligation on everyone processing personal data to (a) record internally all data breaches, (b) sometimes notify the supervisory authority of the data breach (within 72 hours of learning about it!), and (c) sometimes even notify the natural persons concerned. Importantly, the GDPR contains no detailed requirements regarding how exactly data incidents should be managed, and even more importantly, it imposes no liability for suffering or experiencing a data breach. The GDPR-driven liability for a business may only arise where a data breach is handled in a negligent, inappropriate, and disguised manner or when the breach is indeed caused by a lack of security measures taken by the company.
Based on our experience, we will bring you seven key lessons from the data breaches in the Baltics which we believe to be useful for companies of various level of preparedness:
- Awareness of the personnel is key for any type of data breach response. Experience shows that consistent education and training of teams is vital for prevention, detection, and response to any data incident. If people do not know what to look out for, how do you expect them to avoid and report incidents?
- A detailed overview of your processing activities (including a comprehensive data flow map, up-to-date records of processing activities, IT systems register, and recorded data processor contracts) is crucially important for determining all the locations and vulnerabilities of the leak. Remember—you only have 72 hours to decide whether to report the breach or not. It includes non-working hours (hope not to become aware on Friday!), and you might have to gather lots of information before deciding to notify. A decision to notify might require a board-level approval and it may take some time for information about the breach to get elevated to the board level, so the board might only have a few hours to decide and approve the notice. You will never make it if you only then start mapping your data flows and IT systems.
- Alignment and collaboration of IT, PR, and legal teams are crucial for timely and effective management of the incident. Experience shows that valuable time may be wasted for internal discussions and aligning the topics, messages, and tasks between these roles and functions.
- Make sure that the data protection officer or legal professional helping you with the data breach has a track record in managing data breaches from helping to evaluate the incident to notifying the supervisory authority and data subjects and, ideally, an investigation by the supervisory authority along with media coverage. While it may incur extra costs, it may help you avoid even more costly mistakes.
- Transparency in communication with the supervisory authority and individuals is crucial for both short-term and long-term data breach responses.
- Automated tools, enabling automated incident management, will save time and help to avoid hustling and rustling amid the wider crisis management.
- And last but not least—print out your data protection documents (yes, on hard paper!). The data breach management policy is useless if it has been encrypted by ransomware and is not available during the notification period.
The keywords for all the above lessons are “awareness and preparedness”.
First and foremost, apparent and obvious obligations exist under the GDPR, as specified above. Failure to duly record and notify the data breaches can result in a fine under the GDPR. Second, recording and notifying the data breaches helps the company strengthen its data security practices. Third, proper detection, recording, and notification of data breaches have become increasingly topical in legal due diligence processes conducted in the context of mergers and acquisitions, where data protection compliance is an essential topic.
Many companies are still reluctant to notify data breaches to a supervisory authority as they believe it will immediately result in negative consequences. The truth is that supervisory proceedings are initiated only on some occasions and even then, they often do not end up with a fine. Not notifying, on the other hand, will most likely result in a fine under the GDPR.
The table below shows aggregated data about data breaches and their governance in the Baltics in 2020.