How to behave in case of data breach?

How to behave in case of data breach?

First of all, don't panic and always make sure you have your towel with you.

It finally happened. There was a flaw in your system and someone took advantage of it to carry out what, in jargon, is called a data breach. A personal data breach. Don't worry, it's not an unusual phenomenon. The luckiest run into this eventuality less than once a year, but in a world that evolves as fast as the internet it can happen that this eventuality becomes much more frequent. While you try not to panic, we encourage you to stick to the rule of thumb: to handle a breach, you have to follow the indications of the European Regulation 16/679 (GDPR) which offers guidance on what to do if a data breach occurs.

What is a data breach?

Personal data breaches are of 6 types, and each of these can be voluntary or accidental based on why it occurred:

  • Unauthorized access. Someone couldn't have access to certain information, yet he did. In case this was a mistake, you may have sent an important document to one person instead of another. It was an accident, but it's still a data breach. However, in the event that you have made unauthorized access to someone's data, this event can become espionage.
  • Unauthorized copy. Someone took some data that didn't belong to them and copied it for themselves. This could be an accident if a co-worker decides to print a document that he shouldn't have in order to better compile a work document. In case of voluntary copying for less clear objectives, it could be theft.
  • Unexpected Disclosure. Someone accidentally leaks data that shouldn't be online for any reason. For example, a photo of an important customer is released on the company's Facebook profile. In case of fraud, this operation is called diffusion.
  • Unauthorized modification. Someone changed some data, even though they couldn't do it. If it happened by mistake, this is it. Otherwise it could be manumission by a hacker or an attacker.
  • Loss of access. Someone loses information and it is no longer available. Forgetting your computer password is a violation, did you know that? And in case it was done on purpose, it becomes encryption.
  • Data deletion. Someone deletes sensitive data. If this happened by mistake, it is a violation. But in case the cancellation is voluntary, it incurs the data destruction.

Violation of personal data: how to behave?

Please refer to articles 33 and 34 of the GDPR. These two articles refer to the European regulation which seeks to indicate the procedures to be followed in the event of a data breach. Article 33 concerns the internal management of the company and relations with the Guarantor, while article 34 concerns the management with the interested parties, or the people whose personal data we have.

It is essential to specify that the data breach must always be recorded e, in case, notified to the Guarantor as stated in Article 33. This also says that in the event of a violation, the data controller must notify the supervisory authorities within 72 hours of becoming aware of it, especially if this presents a risk to rights and freedoms of natural persons. The data processors (payroll firm, accountant, systems analysts…) must notify the data controller.

If you decide to notify the Guarantor, he needs information: nature of the violation, amount of people involved, contract data of the data protection officer, possible consequences of the violation and any measures taken or to be taken.

However, the company has an obligation to communicate everything that happens, regardless of whether the violations are unintentional or willful, and assume responsibility (accountability).

The responsability?

The company must be responsible, competent and aware of what is happening in its environments and systems. The company must demonstrate its ability to resolve the problem proactively and demonstrate that it has the tools to stem the consequences of the data breach. This is done by providing evidence and data – and by offering you to offer the Guarantor a certainty that what happened will never happen again. In case of lack of "accountability", a fine is incurred.

What are the violations to be communicated to the Guarantor?

Only voluntary violations and not accidental ones are communicated to the Guarantor. The data controller must decide whether or not to notify, in the logic of accountability, if the data breach can cause damage to the rights and freedom of individuals. L'ENISA (The European Union Agency for Cybersecurity) has created a methodology for calculating risk on the freedom of persons in the face of an infringement. This methodology can also be applied in the company.

How do you know if there has been a violation?

The violation must be understood to be truly detected. This is feasible if there is adequate training in the company to estimate the risk and understand any damage. In a nutshell, you don't need an engineer who enters the scene for two months in an attempt to estimate the possible damages of a lost flash drive: you need a training course that helps the available personnel understand the extent of the damage without adding to the costs already important management. Simply put, staff must be trained in what a breach entails and in communicating the procedure to data subjects in a timely manner.

Article 34 tells us that the data controller may not communicate the violation to the data subject When:

  • Adequate technical and organizational measures are put in place, but with a notification to the Guarantor and proof of accountability.
  • It has adopted measures to avoid a high risk of data breach.
  • Disclosure can be omitted if it requires disproportionate effort – in this case, it must be publicly declared!

Data breaches happen. But how do you think you can handle it?