The top 8 issues all CIO’s, CSO’s and CPO’s should know about how to notify data breaches in Europe

All privacy professionals know that the Europe Union is about to introduce an obligation to notify personal data breaches applicable to all data controllers: essentially to any private company or public authority that determines the purposes and means of the processing of personal data. In the U.S., the discussion over what should trigger such an obligation gained momentum from 2003 in California and rapidly grew to almost all the States. The European Parliament and the Council introduced such an obligation to report already in November 2009 in the amendment to Directive on privacy and electronic communications 2002/58/EC in Directive 2009/136/EC (more details in earlier posts in this blog) that applies to telecommunications companies and Internet service providers. Then, in 2012, in the latest draft of the General Data Protection Regulation (“the Regulation”), as voted upon by the European Parliament in its plenary session of March 12, 2014.

The importance of this obligation cannot possibly be overstated if one considers the numerous losses of user accounts, credit card details and other personal data that have occurred since 2012, not only in privately held corporations but also in state-owned organizations.

This article seeks to provide readers with a short summary of the factual scope of the obligation to report under the forthcoming EU regulatory regime and, if worst comes to worst, suggests a non-comprehensive list of do’s and don’ts to avoid the imposition of a fine. (The articles we refer to are the ones of the latest draft of the Regulation.)

Keyboard and shadow – Data theft. © Colourbox (http://www.colourbox.com).

1. Who must report?

Although some CIO’s, CSO’s and CPO’s may still assume that they are not affected by the new rules, Article 2 para. (2) of the Regulation leaves no doubt that the obligation to report applies not only to European companies that process customer data but also to any company processing personal data while offering goods or services to data subjects in the EU. Even if the processing of personal data only serves the purpose of monitoring a data subject’s behavior, non-compliance with this obligation can have grave consequences for any company that targets consumers in the European Union, irrespective of such a company’s place of incorporation. Since monitoring a data subject’s behavior is sufficient to trigger the obligation to report, one should not overlook the irony that intelligence agencies are covered by Article 31 of the Regulation as well: If the likes of Mr. Snowden were to disclose confidential data to the public, the agency would be obliged to report this incident to the supervisory authority, although it may not be inclined to do so. (While Article 21 para. (1) (b) of the Regulation permits member states to dispense the controller from its obligation to inform the data subject to the extent necessary for the prevention, investigation, detection and prosecution of criminal offences, it does not release the controller from its duty to notify the supervisory authority in accordance with Article 31 of the Regulation.) The national data supervisory authorities may encounter a slight enforcement problem in this regard.

2. Why should you report?

Bearing in mind that Art. 79 of the Regulation provides that any failure to comply with this obligation shall be subject to a fine of up to more than 100 million EUR or up to 5% of the annual worldwide turnover in the case of an enterprise, every data processor has a good reason to report any personal data breach promptly and accurately.

3. What must be reported?

Article 4 para. (9) of the Regulation defines a personal data breach as “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. This broad range of events proves the point that the cause of a data breach is by and large irrelevant: a breach occurs not only if a data controller or processor’s system is hacked by external perpetrators, but also in any case where a dissatisfied employee destroys or steals personal data wilfully. Besides, any accidental data loss due to the application of back-up routines that turn out to be less than fail-safe, or the loss of personal data due to a virus or Trojan, must also be considered a personal data breach within the meaning of Article 4 in connection with Article 31 of the Regulation.

4. When is a report due?

According to Art. 31 of the first draft Regulation, a breach was to be reported within 24 hours from the time the breach was established. This reporting duty raised widespread concern among companies in Europe and the U.S. that it may put an unreasonable burden on the data controller that could not be fulfilled. The version of the draft Regulation adopted in October 2013 by the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament fortunately eliminated the inflexible 24 hour deadline and instead provided for an obligation of the data controller to report breaches “without undue delay” after the establishment of a personal data breach. This raises the question of when it must be assumed that a breach has indeed been established. Due to the fact that most small to mid-size business, and even some large corporations, still have not implemented an appropriate incident discovery and reporting system, data losses often go unnoticed and are therefore not even established in the first place. Whoever thinks that maintaining this technical status quo and not poking too deep into possible incidents is a good policy had better think twice, however, as a short glimpse into the recitals suggests that ignoring the potential of data losses may not help. Recital 68, in particular, suggests otherwise by stating that

“in order to determine whether a personal data breach is notified to the supervisory authority and to the data subject without undue delay, it should be ascertained whether the controller has implemented and applied appropriate technological protection and organizational measures to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject, before a damage to personal and economic interests occurs, taking into account in particular the nature and gravity of the personal data breach and its consequences and the adverse effects for the data subject.”

He who sits on the fence and does not actively take measures to implement an incident discovery and reporting system that is up to its task may hence be punished by life, if not by the supervisory authority.

On the other hand, one may justly assume that (a) the mere suspicion or assumption that a breach may have occurred does not suffice to trigger a duty to report and (b) if a breach remains unnoticed by the data processor’s state-of-the-art incident reporting system, no liability can arise from a failure to report the breach. Even so, private and public data controllers and processors will find it difficult to comply with this obligation. A premature report to the supervisory authority can have serious consequences on the reputation of the company and on its market chances, and may also seriously damage the customer goodwill that took so long to acquire. In the end, however, any data processor would be ill advised to wait too long and to try to conceal a personal data breach from the supervisory authority and the public. Once an incident has been discovered by the processor’s IT-system, the CIO, CSO and CPO should react swiftly and follow a procedure that guides them through all steps necessary to verify the breach, its consequences and possible causes and to alert the CEO or board so that the incident can then be reported to the supervisory authority without undue delay. Also, irrespective of the regulation itself, and as has been demonstrated by recent cases if data breaches are reported to the data subjects belatedly, it has the potential to cause greater damage to the trust between the data subject and the company than if the data subject is informed promptly. Data breaches are hence requiring excellent soft skills from those responsible for their reporting to the outside world in determining the right point in time to inform data subjects.

Considering the complexity of assessing possible data breaches and the task to find a cure if one occurred, we hope that the European Data Protection Board will promptly issue guidelines, recommendations and best practices for establishing the data breach and determining any undue delay in reporting them (See Art. 66 (1)(b), Regulation). (The European Data Protection Board is an independent body that consists of the heads of the national supervisory authorities to ensure the consistent application of the Regulation. See Art. 64, Regulation for details.)

5. Which types of breaches must be reported?

What exactly the processor must report to the supervisory authority is laid out in Article 31 para. 3. The minimum information comprises such basic data as the nature of the personal data breach, categories and number of data subjects concerned, the identity and contact details of the processor’s data protection officer, the measures proposed or taken by the processor to mitigate the possible adverse effects of the breach as well as a description of its possible consequences. It also requires the controller and processor to document any breach, its effects and the remedial action taken.

6. What happens after the report has been filed?

Part of the uneasiness that the obligation to report personal data breaches to the supervisory authority has created among data processors stems from the assumption that reporting a breach will be tantamount to disclosing it to the public. Such concerns, however, do not find any basis in the current wording of Article 31, as para. (4) merely states that the supervisory authority shall keep a public register of the types of breaches notified, but not a comprehensive list of companies that filed a report. If the new reporting regime set forth in Article 31 of the Regulation is to be successful, the supervisory authority must play its part too and ensure that all reports are treated confidentially.

7. Must data subjects be informed too?

The fact that data processors that have experienced a breach are not exposed as culprits by the supervisory authority does not mean, however, that the data subjects concerned by such breach can be left out of the equation. Article 32 of the Regulation does not introduce a general duty to inform the data subjects about any and all breaches, but limits such duty to cases where the personal data breach “is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject.” If these conditions are met, data subjects must be provided within the same time frame, i.e. “without undue delay” with the contact details of the data protection officer, the consequences of the personal data breach and a description of the measures taken to mitigate its effects. The obvious question will of course be under which circumstances it must be assumed that a breach will have an adverse effect on an individual’s privacy and his/her legitimate rights and interests. It is certainly safe to say that this is the case whenever the data leaked or destroyed contains information on the data subject’s physical or mental health.

Beyond this obvious case, however, the lines become blurred. Whether the loss of biometric or genetic data, for example must always be reported, can only be judged by taking into account all the specific facts of each individual case.

As for the procedure of establishing the data breach and determining whether a report has been unduly delayed in Article 31, the European Data Protection Board will have to carve out the details of Article 32 and provide data processors with clear indications as to what specific data losses mandate the prompt information of all data subjects concerned and which do not.

In lack of any clear guidelines for this assessment, it will be even more rewarding for data processors to implement appropriate technological protection measures: If the data that was leaked or destroyed had been rendered “unintelligible to any person who is not authorized to access it”, the data subject must not be informed about the breach. This exception to the rule will provide a significant incentive for cloud service providers and other data controllers and processors to encrypt their customers’ data or – even better – enable their customers to encrypt their personal data themselves so only they hold the key.

8. How should companies prepare for the new reporting obligations?

To ensure compliance with the reporting duties in the event of a personal data breach and minimize the inherent costs that come with the new legal framework, private and public organizations will need to create and implement structured processes that ensure they do comply, that takes away their need for short-lived troubleshooting and adequately addresses the potential loss of control that may result from data breaches becoming public. To achieve this they will have to:

  • set up a state-of-the-art incident discovery and reporting system designed to detect any unintended disclosure of personal (customer) data and a breach notification process that kicks in automatically once a breach has been identified,
  • implement independent and periodic reviews of the company’s data protection and data security processes,
  • continuously update all data protection and security processes in due course to keep them current, and
  • work with, rather than against, the supervisory authority to notify and remedy any breaches as swiftly as possible.

Whilst the new regulatory framework for data protection in Europe – its data breach notification requirements in particular – is now creating some new and major obligations for companies worldwide, it will of course at the same time open up an even bigger market for all those providing data protection assurance and detection and reporting systems.

Andreas Leupold

(Thanks to Cédric Laurant for his comments.)

Share

Advertisements
Comments
One Response to “The top 8 issues all CIO’s, CSO’s and CPO’s should know about how to notify data breaches in Europe”
Trackbacks
Check out what others are saying...
  1. […] draft version of the European Data Protection Regulation seeks to introduce (see our earlier post “The Top 8 issues all CIO’s, CSO’s and CPO’s should know about how to notify data breaches i…), the call for regulating the way data breaches are dealt with by private and public entities in […]



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

  • Blog authors

  • Copyright notice

    © Copyright 2010-2014 "Information Security Breaches & The Law".
    All rights reserved, unless noted otherwise under each author's post, page or other material.
    If you would like to discuss licensing terms, contact us at: info [at] security-breaches [dot] com.

  • Enter your e-mail address here to follow this blog and receive notifications of new posts by e-mail.

  • The “Global Information Security Breach Professionals” Group on Linkedin

  • Wordpress Blog Stats

    • 42,252 hits
%d bloggers like this: