The European Data Protection Board (“EDPB”) has recently released draft guidelines on personal data breach notification.
These new guidelines complement the previous and more general guidelines on the same subject that were issued by the EDPB, then the article 29 Working Party, in October 2017 (see here for more details)
Although quite comprehensive, the previous guidelines lacked practical details in certain regards as they were drafted at a time where the authorities and organisations did not have much experience of personal data breach notification. More than two years later, the EDPB has decided to provide guidelines made up of practical examples taken from their experiences.
The guidelines cover the most common/usual type of personal data breaches that organisations may encounter and provides its analysis including the measures to be taken, the remediation actions and whether or not a notification is necessary.
This article is aimed at providing an overview of the information provided in the documents and reproduce the recommended measures to implement in order to avoid and/or be better prepared to handle a personal data breach. For a full reading of the guidelines see here.
1. What is a personal data breach?
According to the GDPR, a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
They can be categorized as follows:
- Confidentiality breach (i.e; unauthorized disclosure/access);
- Integrity breach (i.e. alteration of the data);
- Availability breach (i.e. loss, destruction of data).
For more information about what a personal data breach is, see here.
2. In which case must a controller make a notification?
A personal data breach may have significant adverse effects on individuals such as physical, material, or non-material damage. They can result in loss of control over their personal data, limitation of their rights, discrimination, identity theft, fraud, financial loss etc.
- Controllers must document any breach of personal data in a record (facts, effects, and remedial actions taken)
- Notify the Supervisory Authority of the personal data breach likely to result in a risk to the rights and freedoms of natural persons without delay and no later than within 72 hours of being aware of the data breach
- Notify the individuals of the data breach when it is likely to result in a high risk to the rights and freedoms of natural persons within the same time period as set out above.
The GDPR, while providing examples of risk does not make a clear distinction between a risk and a high risk.
The guidelines tend to provide a better understanding of when it is considered necessary to notify the data subjects of a personal data breach.
In practice, the level of risk mainly depends on :
- the volume and the type of data concerned as well the type of data subjects (i.e. children, patients etc.). In particular, as far as sensitive data is concerned, it is very likely that the risk is considered as high.
- the technical, organisational and security measures implemented and the remediation actions that are taken to mitigate the risk once the controller is aware of the personal data breach.
- the likely consequences of the breach on the data subject. Risk of identity theft or financial loss is usually considered as a high risk.
3. The typical attacks identified in the guidelines
In its guidelines, the EDPB provides examples of the typical types of personal data breaches organisations may encounter.
The main categories of breach/attacks are as follows:
- Data exfiltration
- Human risk (human mistake etc., loss or stolen device or documents, mispostal)
- Social engineering
- Email exfiltration
4. The general measures the EDPB expects organisations to implement
In general, Supervisory authority expect the following organisational measures to be implemented in organisations:
- Plans, procedures for handling data breaches;
- Clear reporting lines and identification of the persons responsible for the various aspects of the recovery process;
- Training and awareness on data protection issues of the staff in charge of the personal data breach management;
- The EDPB also encourages to draft a handbook on handling personal data breach aims to establish the fact at each major stage of a personal data breach so that, if a personal data breach were to occur, people in the organization would know what to do and the incident would be handled quicker.
5. Examples of measures the EDPB recommends implementing depending on the type of personal data breach
The EDPB also recommend implementing more specific measures for most types of personal data breaches it has identified in its guidelines in order to avoid a breach or to mitigate the risk. The list of measures reproduced below is a recommendation only and should not be read as an exhaustive list of measures that must be implemented in all cases. Indeed, measures must be adapted to each organisation and situation.
Keeping the firmware, operating system and application software on the servers, client machines, active network components, and any other machines on the same LAN (including Wi-Fi devices) up to date.
Ensuring that all reasonable IT security measures are in place, are effective and regularly updated when processing or circumstances change or evolve. This includes keeping detailed logs of which patches are applied at which timestamp.
Designing and organising processing systems and infrastructure to segment or isolate data systems and networks to avoid propagation of malware within the organisation and to external systems.
The existence of an up-to-date, secure and tested backup procedure. Media for medium- and longterm back-up should be kept separate from operational data storage and out of reach of third parties even in case of a successful attack (such as daily incremental backup and weekly full backup).
Having /obtaining an appropriate, up-to-date, effective and integrated anti-malware software.
Having an appropriate, up-to-date, effective and integrated firewall and intrusion detection and prevention system.
Directing network traffic through the firewall/intrusion detection, even in the case of a home office or mobile work (e.g. by using VPN connections to organizational security mechanisms when accessing the internet).
Training employees on the methods of recognising and preventing IT attacks. The controller should provide means to establish whether emails and messages obtained by other means of communication are authentic and trustworthy. Employees should be trained to recognize when such an attack has occurred, how to take the endpoint out of the network and their obligation to immediately report it to the security officer.
Emphasize the need for identifying the type of malicious code to see the consequences of the attack and be able to find the right measures to mitigate the risk. In case a ransomware attack has succeeded and there is no back-up available, tools available such as the ones by the “no more ransom”(nomoreransom.org) project may be applied to retrieve data. However, in case a safe backup is available, restoring the data from it is advisable.
Forwarding or replication all logs to a central log server (possibly including the signing or cryptographic time-stamping of log entries).
Strong encryption and authentication, in particular for administrative access to IT systems (2FA), appropriate key and password management.
Vulnerability and penetration testing on a regular basis.
Establish a Computer Security Incident Response Team (CSIRT) or Computer Emergency Response Team (CERT) within the organization, or join a collective CSIRT/CERT.
Create an Incident Response Plan, Disaster Recovery Plan and a Business Continuity Plan, and make sure that these are thoroughly tested.
When assessing countermeasures – risk analysis should be reviewed.
State-of-the-art encryption and key management, especially when passwords, sensitive or financial data are being processed.
Cryptographic hashing and salting for secret information (passwords) are always preferred over encryption of passwords. The use of authentication methods obviating the need to process passwords on the server-side is preferable.
Keeping the system up to date (software and firmware).
Ensuring that all IT security measures are in place, effective and regularly updated when processing or circumstances change or evolve. The controller should maintain a record of all updates performed, including also the time when they were applied.
Use of strong authentication methods like two-factor authentication and authentication servers, complemented by an up-to-date password policy.
Secure development standards include the filtering of user input (using whitelisting as far as practicable), escaping user inputs and brute force prevention measures (such as limiting the maximum amount of retries). “Web Application Firewalls” may assist in the effective use of this technique.
Strong user privileges and access control management policy should be in place.
Use of appropriate, up-to-date, effective and integrated firewall, intrusion detection and other perimeter defence systems.
Systematic IT security audits and vulnerability assessments (penetration testing).
Regular reviews and testing to ensure that backups can be used to restore any data whose integrity or availability was affected.
No session ID in URL in plain text.
Periodic implementation of training, education and awareness programs for employees on their privacy and security obligations and the detection and reporting of threats to the security of personal data
Developing an awareness program to remind employees of the most commons errors leading to personal data breaches and how to avoid them.
Establishment of robust and effective data protection and privacy practices, procedures and systems
Evaluation of privacy practices, procedures and systems to ensure continued effectiveness
Making proper access control policies and forcing users to follow the rules.
Implementing techniques to force user authentication when accessing sensitive personal data.
Disabling the company related account of the user as soon as the person leaves the company.
Checking unusual dataflow between the file server and employee workstations.
Setting up I/O interface security in the BIOS or through the use of software controlling the use of computer interfaces (lock or unlock e. g. USB/CD/DVD etc.).
Reviewing employees’ access policy (e.g. logging access to sensitive data and requiring the user to input a business reason, so that this is available for audits).
Disabling open cloud services.
Forbidding and preventing access to known open mail services.
Disabling print screen function in OS.
Enforcing a clean desk policy.
Automated locking all computers after a certain amount of time of inactivity.
Use mechanisms (e.g. (wireless) token to log on/open locked accounts) for fast user switches in
Use of dedicated systems for managing personal data that apply appropriate access control mechanisms and that prevent human mistake, such as sending of communications to the wrong subject. The use of spreadsheets and other office documents is not an appropriate means to manage client data.
Use passcode/password on all devices. Encrypt all mobile electronic devices in a way that requires the input of a complex password for decryption.
Use multi-factor authentication.
Turn on the functionalities of highly mobile devices that allow them to be located in case of loss or misplacement.
Use MDM (Mobile Devices Management) software/app and localization and enable the remote wipe function.Use anti-glare filters.
Close down any unattended devices. If possible and appropriate to the data processing in question, save personal data not on a mobile device, but on a central backend server.
If the workstation is connected to the corporate LAN, do an automatic backup from the work folders provided it is unavoidable that personal data is stored there
Use a secure VPN (e.g. which requires a separate second factor authentication key for the establishment of a secure connection) to connect mobile devices to back-end servers.
Provide physical locks to employees in order to enable them to physically secure mobile devices
they use while they remain unattended.
Proper regulation of device usage outside the company.
Proper regulation of device usage inside the company.
Use centralised device management with minimum rights for the end-users to install the software.
Install physical access controls.
Avoid storing sensitive information in mobile devices or hard drives. If there is a need to access the company’s internal system, secure channels should be used such as previously stated.
Setting exact standards for sending letters/e-mails.
Adequate training for personnel on how to send letters/e-mails.
When sending e-mails to multiple recipients, they are listed in the ’bcc’ field by default.
Extra confirmation is required when sending e-mails to multiple recipients, and they are not listed in the ’bcc’ field.
Application of the four-eyes principle.
Automatic addressing instead of manual, with data extracted from an available and up-to-date database; the automatic addressing system should be regularly reviewed to check for hidden errors and incorrect settings.
Application of message delay (e.g. the message can be deleted/edited within a certain time period after clicking the press button).
Disabling autocomplete when typing in e-mail addresses.
Awareness sessions on most common mistakes leading to a personal data breach.
Training sessions and manuals on how to handle incidents leading to a personal data breach and who to inform (involve DPO).