The EDPB's Guidelines for Handling Data Breaches

The European Data Protection Board (EDPB) issues guidance on data protection for companies operating in Europe.

Because Europe has especially protective data security laws like the General Data Protection Regulation (GDPR), it can be intimidating for smaller businesses or businesses expanding into Europe to begin European operations. That's why the EDPB releases guidelines for key subjects on data protection, such as data breaches.

Even still, that guidance can be dense, hard to find, and full of technical jargon unfamiliar to many readers.

It's important to make sure you understand the guidelines before a data breach occurs so that you can be sure to respond appropriately in a timely manner. With proper preparation, a data breach doesn't need to create long-term regulatory issues for your business.

This article will break down the guidelines and requirements for handling data breaches.

Definition of Personal Data Breach

To understand when and how to respond to a data breach, you need to be able to respond to what the GDPR defines as a personal data breach. Article 4(12) says, "'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed," which leaves a lot to unpack.

First, you should note that a breach isn't just when hackers access data without your permission. It also includes situations where personal data is destroyed, lost, or changed. You should also know that this applies not only to personal data your site stores, as you might expect but also to data you transmit to process.

Within this definition, there are three different types of personal data breaches:

• Confidentiality breaches - Includes unauthorized or accidental access to personal data
• Integrity breaches - Where the data is altered, either by an unauthorized user or by accident
• Availability breaches - Is in some ways the opposite of an integrity breach because it is the loss of access to personal data

General Requirements for Handling a Data Breach

A data holder that identifies a data breach must record the nature of the breach and the subsequent actions they took to remediate it. That record is useful to the data holder as a source of information on potential future breaches and to the competent national supervisory authority (SA) that may need to review the breach as well.

Whether an SA needs to review the breach is determined by the breach's risk level. If a breach is unlikely to result in a risk to the rights and freedoms of individuals, the data holder is not required to notify anyone of the breach.

On the other hand, breaches that are likely to do so should be brought to the attention of an SA within 72 hours of the data holder discovering the breach.

High-risk breaches require the data holder to inform the data subject (such as the user) of the breach.

The EDPB gives the following as factors to consider in assessing the risk level of an individual breach:

• Type of breach
• Nature, sensitivity, and volume of personal data
• Ease of identification of individual data subjects
• Severity of consequences for individual data subjects
• Number of individuals affected

These factors can be combined in different ways to reach different risk levels.

For example, if a breach affected very few people but was the result of a malicious attack that uncovered highly sensitive data on the subjects, it could be highly risky to those subjects' rights and freedoms.

On the other hand, an availability breach that briefly locks a high volume of users out of accessing some personal data could be a lower-risk breach.

If a breach does meet the risk level of requiring you to inform an SA or data subjects, it's important that you provide all the necessary information. If you are informing an SA, include information about the nature of the breach, the relevant point of contact in your organization, the likely consequences of the breach, and the measures taken to address the breach and reduce its negative impacts.

If you are informing data subjects, the information you include should be similar. You should describe the breach itself, the point of contact they can reach out to for more information, the likely impacts of the breach, and what you have done to address the breach and mitigate the harm to the data subjects.

Data Breach Causes and Responses

The EDPB gives different guidance on how to respond to data breaches originating from different causes. The cause of the breach could determine the risks to the users whose data was exposed, and that could drastically change how the site owner should respond.

The EDPB gives guidance for how to respond to data breaches with six distinct causes:

• Ransomware
• Data exfiltration attacks
• Internal human risk sources
• Lost or Stolen Devices and Paper Documents
• Mispostal
• Social Engineering

Ransomware

A ransomware attack encrypts personal data so that neither users nor the data controller can access it. The attacker then asks for a "ransom" in exchange for decrypting the data to re-allow access. An example of this is the WannaCry ransomware attack that affected over 200,000 computers in 2017.

In the case that backup of the data is available, EDPB advises that data controllers should reset all systems free of malicious code, repair vulnerabilities, and then restore the data with backups. This should be completed within 72 hours, as mandated by the GDPR. However, in some cases, 72 hours may not be fast enough. The EDPB notes that in cases with high risk levels, a faster recovery time may be necessary.

However, this course of action is only possible with backups. If there are no backups and no other simple way to restore the data (e.g., paper copies or email records with the relevant information), then it may be necessary to collect the data again.

Depending on this, it may take longer to restore the data, which could heighten the level of risk to users and necessitate informing the SA.

Data Exfiltration Attacks

A data exfiltration attack exploits a vulnerability in the data controller by using an injection attack like an SQL injection to access personal data. These are usually confidentiality and integrity breaches aimed at copying and using the data for malicious means.

Once the data controller discovers that a data exfiltration attack has occurred, they should evaluate the nature of the attack and the data that was accessed, and then remediate the threat as soon as possible. When that is done, they can remedy the vulnerability that originally allowed the attack to be successful.

At this point, the data controller should be able to evaluate the risk that the attack brought to users and respond accordingly. Fortunately, this type of attack is preventable with regular IT audits and testing, so it is preventable as long as the data controller follows proper data security measures.

Internal Human Risk Source

Data breaches caused by human risk sources are hard to prevent and complicated to resolve. These can range in form and impact, from an employee using client data to attract current customers to a different business, to accidentally allowing unauthorized employees to briefly see confidential information.

If the breach is caused by intentional, malicious actions of internal personnel, it may be necessary for the data controller to take legal action against the risk source. If the data was sent to an outside party, it could be a high-risk situation that requires swift action and notification of the data subjects.

An accidental breach is often a lower-risk situation. The cause of the breach can be repaired by reassigning security permissions or doing whatever is needed to prevent it from occurring again. As long as the data was not transmitted to a third party, the risk can be contained to a low level.

Lost or Stolen Devices and Paper Documents

Lost or stolen devices and documents can be difficult to diagnose and repair accurately. They can range from a temporarily misplaced notepad to the intentional theft of a mobile device with user data.

If the missing device or document has no backup, repairing the data breach may need to include collecting the data again.

If a device goes missing, the data controller should consider how the device is secured. With a strong password and remote security software, the data on the device can be rendered inaccessible except by authorized parties, and the potential theft would be low risk. Proper backups can make repairing this type of situation simple as well.

However, hard copies of documents can be more difficult to secure and replace. Installing controls on physical access to confidential documents and protocols on document handling are some of the very few ways to prevent this type of breach.

In the event that highly sensitive documents go missing, data controllers should quickly assess whether they were lost or stolen and remediate the breach by pursuing the thief or locating the document as quickly as possible, informing the SA or data subjects if necessary.

Mispostal

A mispostal is a data breach that results from incorrectly sending something via mail or email. This can either mean sending something in the mail that should never have been sent, or sending something to the wrong recipient. It's difficult to recover a physical document or object that's been mailed incorrectly, so it's especially important to put in place good preventive procedures for mispostals.

If an accidental breach causes personal data to be sent to an unauthorized recipient, the data controller should quickly assess the potential risk and request that the recipient return and/or destroy the information they received.

If the data controller believes that the timely return or destruction of the information is unlikely, they should inform the data subject as soon as possible. This could constitute a high-risk situation.

Data holders can never completely stop this type of breach as long as they use physical mail. However, they can take certain measures to reduce the likelihood of mispostal errors. For example, data holders may want to institute a four-eyes policy for verifying recipient information on mail containing personal data.

Social Engineering

Social engineering can create data breaches that are difficult to identify and especially dangerous. It's the practice of deceiving people into giving away information or access to personal data. With social engineering, malicious actors may gain almost unlimited access to highly sensitive data.

For example, an individual could impersonate someone with access to client data, such as an executive or a current client. They could use the access from that stolen identity to obtain further information from the company's own staff. Because these cases necessarily involve a malicious actor accessing the data they're looking for, they are almost always high-risk situations.

To remediate a social engineering breach, an organization should review how they verify the identities of people receiving access to personal data. Many social engineering attempts are thwarted by proper identity verification, including multi-factor authentication. The specific course of action should be chosen after a review of the breach.

Summary

Personal data breaches can be difficult situations to deal with, and part of that difficulty is understanding the GDPR requirements around how to respond to a breach.

In general, there are three cases to be aware of:

• Low-risk breaches, which should be remediated as soon as possible but do not require data holders to notify outside parties
• Breaches likely to pose a risk to individuals' rights and freedoms, which require data holders to notify a competent national supervisory authority
• High-risk breaches, which require data holders to notify the affected data subjects about the breach