In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the European Union’s General Data Protection Regulation. Now, with the May 25, 2018, GDPR implementation deadline looming, the IAPP is releasing a companion series discussing the common practical organizational responses that our members report they are undertaking in anticipation of GDPR implementation.
This eighth installment in the 10-part series explores how the GDPR addresses data breaches and practical ways in which organizations can go about preparing for and responding to breach events. The first seven installments of the series, addressing data mapping and inventory, legitimate bases for data processing, data governance systems, data processing risks, data retention and record-keeping, transparency and privacy notices, and data subject rights can be found here.
Data breach basics
Security incidents are common. Perhaps someone leaves a secure door unlocked or a sensitive paper file exposed on their desk. Whether a security incident rises to the level of a “data breach,” however, is a legal question.
Under the GDPR, “data breach” is much broader term than under U.S. state data breach laws, for example.
Article 4(12) defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access, personal data transmitted, stored or otherwise processed.” Many U.S. security breach laws define “personally identifiable information” as first and last name plus an account number or password, such that fraud or identity theft is possible. But “personal data” is very broadly defined in Article 4 of the GDPR as “any information relating to an identified or identifiable natural person.”
Organizations seeking to minimize data breach risk under any law should consider three general steps: planning to detect and contain an incident; steps for breach response (including notification if necessary); and cyber insurance.
Breach preparation
As with all processing activity, the first step in effective preparation is understanding what data the organization has through data mapping and inventory. Multiple GDPR provisions evaluate controller responses to breach events based on the type of data compromised, so controllers must have an accurate picture of their own data. Indeed, as discussed below, data subject notification turns on an evaluation of risks to data subjects’ rights and freedoms, requiring knowledge of not just data categories but specific data elements as well.
Although not the subject of this post, avoiding a breach in the first place through effective data security is obviously a crucial breach preparation task. The GDPR requires controllers and processors to implement appropriate technical and operational security measures, proportionate to the risk facing the rights and freedoms of data subjects. Technical security measures like pseudonymization and encryption of data are encouraged, but may not be fully sufficient for compliance; Article 32 also requires controllers to put in place appropriate “organizational measures” as well. These measures include a breach response plan, ideally one drafted in collaboration with the information security team, the privacy leader, risk management, compliance personnel, firm management, and perhaps also public relations and communications staff as well.
A good response plan will dictate who must be notified within a company once a potential breach has been discovered or reported. Potentially serious events should be brought to the attention of a company’s legal representatives and senior management so that a unified response can be coordinated. Companies should also ensure that breach response plans include a strategy for dealing with any breaches reported by a processor, if applicable. And a short list of which regulators might need to be notified within Article 33’s 72-hour breach notification period will aid in compliance should the crisis occur (more about this below).
Some forensic and security capabilities may be managed in-house, but for some organizations – and for some security incidents – outsourcing investigation of the situation may be required. Engaging outside legal counsel to oversee the investigation may provide legal privilege for some components of the investigation, so part of breach preparation is engaging qualified counsel who can assist when needed.
Some experts suggest separating personnel responsible for an organization’s security from those tasked with forensic investigations, so that any incident requiring a forensic analysis is approached with unbiased eyes. In larger organizations, this may mean the establishment of a separate, full-time data forensics team, while smaller organizations may wish to identify outside data forensics providers ahead of time to call on in the event of a security incident.
For companies that lack the resources to conduct a proper forensic investigation internally or those that choose an outside vendor, the breach response plan should identify in advance the vendors that will conduct an appropriate investigation, including outside legal counsel. Cyber liability and data breach insurance policies often include networks of professionals that can help organizations with IT forensics, public relations, and other crisis management needs if companies’ internal resources are lacking.
Training to prepare for a breach is also crucial. Many data security professionals suggest conducting table-top breach simulations with both relevant IT personnel and C-suite level management as an invaluable tool for preparing the relevant personnel when personal data is compromised. After all, 72 hours for notification is a tight window indeed.
Breach response and notification
When a security incident is discovered or reported, the DPO should be notified right away. Key first steps are to contain the incident, initiate an investigation of its scope and origins, and ultimately decide if it qualifies as a “breach.” Here is another place where effective privacy governance (including training) pays off; all employees should be aware of what constitutes a reportable security concern and should know whom to contact upon discovery. Containing the incident to prevent additional misuse of personal data should be a top priority and this is facilitated by rapid communication to the proper personnel.
If a security incident qualifies as a breach under the GDPR, an organization may be required to notify the relevant supervisory authority and affected data subjects.
As a baseline rule, Recital 85 and Article 33(1) provide that a personal data breach must be reported to the relevant supervisory authority “without undue delay,” meaning “where feasible” not later than 72 hours after the controller has become aware of it. Processors are only required to notify controllers “without undue delay” upon discovering a breach.
Recital 87 indicates the determination of whether a notification was “without undue delay” is a fact-based inquiry “taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject.” As mentioned above, good breach preparation will include identifying the relevant supervisory authority for each jurisdiction in which the organization operates, as well as the “lead” authority to be contacted in any cross-border incident. It may also help to prepare draft notifications for each to provide a quick basis for the creation of any necessary future notification. Qualified outside counsel will likely also be helpful in meeting these compliance deadlines with the proper notification procedure.
The Regulation requires that controllers’ notification to supervisory authorities include several specific pieces of information:
- The nature of the personal data breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records.
- The data protection officer’s contact information, or other contact point.
- The likely consequences of the breach.
- A description of how the controller proposes to address the breach, including mitigation efforts.
Controllers are only exempted from reporting to the supervisory authority if they can show that the breach “is unlikely to result in a risk to the rights and freedoms of natural persons.” If for any reason notification cannot be achieved in 72 hours, “the reasons for the delay must accompany the notification.” Whether or not the supervisory authority is notified, controllers must still document any personal data breaches, recording “the facts relating to … the breach, its effects and the remedial action taken,” as authorities may audit such records for compliance with the Regulation.
For many privacy professionals, the 72-hour window for notification is the most challenging part of the GDPR’s data breach requirements. This window begins to close when a company becomes “aware” of a breach, which the Article 29 Working Party’s guidance on data breaches (analyzed in more detail here) clarifies to mean when the controller has a “reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.” This determination is a fact-based inquiry, and the WP29 gives several examples of situations sufficient to show “awareness,” ranging from a controller discovering the loss of a USB containing unencrypted personal data (which creates a breach of availability, even if the controller is unable to confirm that unauthorized persons gained access to the data contained) to the more straightforward example of a cybercriminal demanding a ransom after hacking a controller’s systems. The WP29 does note that controllers, upon learning of a potential breach, are permitted a “short period of investigation” to determine whether or not a breach has actually occurred, during which time the controller does not qualify as “aware.”
The narrowness of this window is extended only by the limitations of “feasibility,” which many data security professionals are hesitant to interpret broadly. As a result, some experts suggest that older breach response plans should be updated to include involving counsel at the earliest stages of the investigative process, to assist security personnel in making the fact-based determinations that will affect whether a notification is required.
Recital 86 and Article 34 further require organizations to inform data subjects of a breach when “that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person.” The communication “should describe the nature of the personal data breach as well as offer recommendations [to] mitigate potential adverse effects.” A breach notification to a data subject must:
- Include the data protection officer’s contact information, or other contact point.
- Explain the likely consequences of the personal data breach.
- Describe how the controller proposes to address the breach, including mitigation efforts.
Communication to a data subject must also be in “clear and plain language,” discussed further in our analysis of the GDPR’s transparency requirement. Controllers are excepted from notifying data subjects if able to show any of the following:
- The controller has implemented appropriate technical and organizational protection measures, and that those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
- The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
- It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
Annex B of the Article 29 Working Party guidance on data breaches offers examples of security incidents to help companies chart if notification to supervisory authorities, data subjects, or both is required. Controllers should also note that supervisory authorities retain the power to independently decide to inform data subjects of a breach, even if the company has determined that one of the exceptions applies.
Finally, it is important to recognize that, per Recital 73, Member State law may impose additional specific data breach response requirements beyond those in the Regulation—so companies may be subject to further requirements beyond those described above depending on their specific jurisdiction. Under Article 40, industry associations or other similar bodies may also create codes of conduct for specific market sectors that set forth additional responsibilities for personal data breach notifications.
Insurance
For organizations with large potential liability, data breach insurance is a critical part of effective breach preparation. Most standard corporate liability insurance policies will not cover data breach exposure, and for data-heavy companies, the combined costs of appropriate forensic investigation, breach notification, legal advice, and potential remuneration to data subjects can be burdensome. Indeed, a 2016 PwC report estimated that the market for cyberinsurance will climb to $7.5 billion in annual premiums by 2020.
Additionally, cyber insurance policies often provide companies with access to “crisis networks” of data forensics experts, outside counsel, specialist PR services, and other high-cost capabilities that may not exist in-house. Coverage comes in different flavors, including data breach liability, computer and network security liability, media liability, and identity theft. With the explosion of connected devices, moreover, comes new opportunities for mishaps and thus new liability policies to cover them.
Because of the range of potential pitfalls that may occur to personal data, and thus create liability for organizations, cyber policies should be reviewed carefully for coverage of the organization’s most likely data risks.
Conclusion
Data breaches are an inherent part of the risk landscape in the modern world. Companies must recognize that upfront investment in planning for breaches may make responses go more smoothly, and thereby reduce risk to the organization as well as the data subjects whose personal data they process.
Photo credit: picsfromsomewhere 3 - Lettre via photopin (license)