EDPB Guidelines 01/2021 on examples regarding data breach notification
On January 14th 2021, the EDPB issued new guidelines on data breach notification which are subject to a public consultation until March 2nd. These guidelines complement the former Working Party Guidelines 250 on data breach (“WP250”) and Opinion 03/2014 on personal data breach notification.
Eighteen different use-cases, divided in six categories, are listed in these guidelines. The aim is to guide controllers in their decision-making process regarding the risk assessment, the notification of data breaches to supervisory authority and the communication to data subjects as per Articles 33 and 34 of the GDPR. It provides interesting guidance using the experience gained by each supervisory authority since the GDPR came into force.
For each use-case the EDPB applied the following classification stemming from the previous guidelines:
– Confidentiality breach: where there is an unauthorised or accidental disclosure of personal data;
– Integrity breach: where there is an alteration of the data;
– Availability breach: where there is a loss of access or destruction of personal data.
I. Ransomware
A ransomware is a malicious software or code encrypting personal data. Once the personal data is encrypted, the attacker asks for a ransom in exchange for the release of the data. Ransomware attacks can be classified as availability breach but confidentiality breach may also occur.
With regards to ransomware; two factors will impact the severity of the data breach:
– The existence of a proper and secure backup, which would allow the data controller to retrieve the data, provided that the attacker could not access the stolen data as it was properly encrypted by the data controller;
– The exfiltration of the personal data, which would mean that the attacker had full access to the data and was able to modify or copy it from the data controller’s server.
Data controllers must implement specific organisational measures in order to prevent ransomware attacks. In example, a strong and up-to-date back-up procedure or designing IT infrastructures in which it is possible to isolate data systems to avoid the propagation of the malware. Strong encryption and authentication as well as appropriate password management must be considered.
The EDPB also advises data controllers to create specific teams (Computer Security Incident Response Team or Computer Emergency Team) to build up the Incident Response Plans and a Business Continuity Plan. These teams may also help to document on the breach as per Article 33(5) of the GDPR. A frequent training of the data controller’s employee to IT attacks is likewise considered as good practice.
II. Data exfiltration
This type of attack exploits security vulnerabilities of the services offered (through software application) by the data controller on the internet. These attacks are mainly confidentiality breaches and contrary to ransomware they aim at copying, exfiltrating and abusing personal data.
To prevent risks from data exfiltration, the data controller must ensure that all his IT systems are constantly updated. IT audits and penetration tests should be run periodically. As per Article 5(2) GDPR all the updates performed by the data controller must be recorded.
Data exfiltration attacks usually targets passwords and authentication mechanism (i.e. credential stuffing attacks consisting of enumerating all possible login user IDs with a fixed trivial password). It is highly advisable to use encryption key and strong authentication methods with an up-to-date password procedure to mitigate the risk.
The EDPB highlights that data controllers manipulating financial information or sensitive data (such as banks and insurance companies) have a larger responsibility regarding data security.
III. Internal human risk source
Human action leading to data breach may be intentional (i.e. a former employee exfiltrates business data – Case No. 8) or unintentional (i.e. accidental transmission of personal data – Case No. 9). Consequently, vulnerabilities and appropriate measures to be taken may be difficult to identify for data controllers.
– Intentional breach
To prevent intentional breach by former employees the data controller must include a user authentication mechanism for employees when accessing personal data, so all unwanted log-ins can be flagged. In addition, if an identified employee is known to leave the company, his access to personal data or business data may be withdrawn to reduce the risk of a breach. The employment contract must also contain provision that prohibits such behaviour.
Certain function may also be disabled to prevent the risk of data theft such as open cloud services, the access to open mail services or the print screen function.
– Unintentional breach
To prevent unintentional breach the data controller may enforce the training of his employees on data protection issues, and use dedicated systems to exchange data instead of emails.
Data controllers are also invited to report to the resolution of the International Conference of Data Protection and Privacy Commissioners to get more specific guidance on human errors in data breaches.(see here).
IV. Lost or stolen devices and paper documents
– Devices
Lost or stealing devices is a typical type of data breach suffered by data controllers. The risk assessment will be impacted as to whether the data stored on the device is encrypted or not.
If the data is encrypted and the device password-protected, the severity of the breach will be minored, and it will not be necessary to notify to supervisory authority nor to communicate to data subjects, internal documentation will be sufficient.
On the contrary, the absence of encryption will enhance the risk and increase the severity of the breach. In order to determine if a communication to data subjects is required, the data controller will need to assess the number of individuals concerned by the breach and if sensitive data were disclosed.
In a nutshell, the EDPB advises to use strong authentication mechanisms (i.e. two-factor authentication, use of a secure VPN) encryption mechanisms (i.e. bitlocker), mobile device management and localisation app, and to implement proper regulation for the usage of devices inside and outside the company.
– Paper documents
With regards to paper documents containing personal data, the security strategy will be different. It is recommended to properly pseudonymised the data and store documents in safe premises. Proper access control procedures to those premises must be implemented to prevent data breaches.
V. Mispostal
Mispostal consist of an unintentional error regarding the sending of goods or emails. The data breach are difficult to foresee by controllers.
– Snail mail
Organizational measures mainly consist in awareness sessions for employees regarding personal data breaches. In case of a snail mail mistake, the possibility for the wrong recipients to return the items free of charge and to request them to delete the copy of the bills containing personal data is considered as good practice by the EDPB.
The EDPB reminds that sending e-mails to multiple recipients must be with all recipients listed in the ‘bcc’ field by default and that extra confirmation is required if recipients are not listed in the ‘bcc’ field. The auto-fill option for email addresses should be disabled as it may be a source of mistake.
In general, the EDPB advises data controllers to set general standards for the sending of e-mails and postal letters. Training sessions may be organised with the intervention of the data protection officer.
VI. Other cases
Identity theft and e-mail exfiltration are other examples of data breaches that data controllers may have to handle.
– Identity theft
Both a notification to the supervisory authority and a communication to the data subject are needed. To prevent identity theft, data controllers must implement high standard authentication method to ensure that the correct identification of the user (i.e. adding extra questions and requiring information only known by the user, or send confirmation request). The data controller must identify the appropriate identification measures in respect of his activities.
– Email exfiltration
If it could lead to both material damage (i.e. financial loss) and non-material damage (i.e. identity theft or fraud) this breach would likely result in high risk to the rights and freedoms of data subjects. In such a case, the notification to the supervisory authority and communication to data subjects is mandatory. Data controllers must organize the updates of their IT systems as well as regular audits in order to identify vulnerabilities before it could lead to severe data breaches.