What’s this all about?
The European Data Protection Board (“EDPB”) issued “Guidelines 01/2021 on Examples regarding Personal Data Breach Notification” (“the guidelines”) late last year. This article looks at its practical aspects.
Under EU GDPR, subject to certain conditions, data breaches have to be notified to a national data protection regulator and communicated to those individuals affected by the breach. Further, often overlooked, a data breach also has to be documented. Since EU GDPR came into force in May 2018 data protection regulators have gained experience in data breach notification and so the EDPB has issued practice-oriented, case-based guidance based on that experience with regard to a list of data breach categories. This news item does not go into the case studies but instead focuses on the EDPB’s “advisable measures” with regard to the data breach categories.
Data breach essentials
By way of reminder, EU GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage, including:
- Identity theft or fraud;
- Financial loss;
- Loss of control over personal data;
- Unauthorised reversal of pseudonymization; and,
- Reputational damage.
Following a data breach an individual may seek financial compensation from the organization responsible for the breach.
As regards when to notify a breach, the guidelines state as follows:
“The breach should be notified when the [data] controller is of the opinion that it is likely to result in a risk to the rights and freedoms of the data subject. Controllers should make this assessment at the time they become aware of the breach. The controller should not wait for a detailed forensic examination and (early) mitigation steps before assessing whether or not the data breach is likely to result in a risk and thus should be notified.”
As regards being ready to deal with a data breach, the guidelines state as follows:
“Every controller and processor should have plans, procedures in place for handling eventual data breaches. Organisations should have clear reporting lines and persons responsible for certain aspects of the recovery process.
Training and awareness on data protection issues for the staff of the controller and processor focusing on personal data breach management (identification of a personal data breach incident and further actions to be taken, etc.) is also essential for the controllers and processors. This training should be regularly repeated, depending on the type of the processing activity and size of the controller, addressing latest trends and alerts coming from cyberattacks or other security incidents.”
What about ransomware?
In brief and speaking very generally, in a ransomware attack a malicious code encrypts personal data following which the attacker asks the data controller organization for a ransom in exchange for the decryption code.
The EDPB’s non-exhaustive advisable measures applying to different situations concerning ransomware include the following:
- Keep the firmware, operating system and application software on the servers, client machines, active network components, and any other machines on the same LAN (including Wi-Fi devices) up to date;
- Ensure that appropriate IT security measures are in place, making sure they are effective and keep them regularly updated when processing or circumstances change or evolve, which includes keeping detailed logs of which patches are applied at which timestamp;
- Design and organize processing systems and infrastructure to segment or isolate data systems and networks to avoid propagation of malware within the organization and to external systems;
- Have an up-to-date, secure and tested backup procedure. Media for medium- and long-term back-up should be kept separate from operational data storage and out of reach of third parties even in case of a successful attack (such as daily incremental backup and weekly full backup);
- Have/obtain appropriate, up-to-date, effective and integrated anti-malware software;
- Have/obtain appropriate, up-to-date, effective and integrated firewall and intrusion detection and prevention system. Direct network traffic through the firewall/intrusion detection, even in the case of home office or mobile work;
- Train employees on the methods of recognizing and preventing IT attacks. Provide means to establish whether emails and messages obtained by other means of communication are authentic and trustworthy. Employees should be trained to recognize when such an attack has realized, how to take the endpoint out of the network and their obligation to immediately report it internally;
- Emphasize the need to identify the type of the malicious code to see the consequences of the attack and be able to find the right measures to mitigate the risk. In case a ransomware attack has succeeded and there is no back-up available, tools available such as the ones by the “no more ransom” project (nomoreransom.org) may be applied to retrieve data. However, in case a safe backup is available, restoring the data from it is advisable;
- Forward or replicate all logs to a central log server, possibly including the signing or cryptographic time-stamping of log entries;
- Have strong encryption and multi-factor authentication, in particular for administrative access to IT systems, appropriate key and password management;
- Carry out vulnerability and penetration testing on a regular basis;
- Create an Incident Response Plan, Disaster Recovery Plan and a Business Continuity Plan, and make sure that these are thoroughly tested; and,
- When assessing countermeasures, risk analysis should be reviewed, tested and updated.
What about data exfiltration attacks?
Attacks that exploit vulnerabilities in services offered by a data controller to third parties over the internet, along with website compromising and similar methods, resemble ransomware attacks as they are carried out by an unauthorized third party, but, such attacks typically aim at copying, abusing and in particular exfiltrating personal data for some malicious end.
The EDPB’s non-exhaustive advisable measures applying to different situations concerning data exfiltration include the following:
- Use state-of-the-art encryption and key management, especially when passwords, sensitive or financial data are being processed. Cryptographic hashing and salting for secret information (passwords) is preferable to password encryption. The use of authentication methods obviating the need to process passwords on the server side is preferable;
- Keep the system up to date (software and firmware). Ensure that all IT security measures are in place, making sure that they are effective and keep them regularly updated when processing or circumstances change or evolve. In order to be able to demonstrate compliance with the EU GDPR “integrity and confidentiality” principle and also in accordance with the EU GDPR “accountability” principle the controller should maintain a record of all updates performed, including the time when they were applied;
- Use strong authentication methods like two-factor authentication and authentication servers, complemented by an up-to-date password policy;
- Secure development standards include the filtering of user input (using white listing as far as practicable), escaping user inputs and brute force prevention measures such as limiting the maximum amount of retries. “Web Application Firewalls” may assist in the effective use of this technique;
- Have a strong user privileges and access control management policy;
- Use appropriate, up-to-date, effective and integrated firewall, intrusion detection and other perimeter defence systems;
- Undertake systematic IT security audits and vulnerability assessments, i.e. penetration testing;
- Undertake regular reviews and testing to ensure that backups can be used to restore any data whose integrity or availability was affected; and,
- Don’t have any session IDs in URL in plain text.
What about human error risk?
Human error within an organization with regard to personal data breaches are all too common. Although such breaches can be both intentional and unintentional making it challenging to identify the vulnerabilities and adopt measures to avoid them, measures can still be put in place.
The EDPB’s non-exhaustive advisable measures applying to different situations concerning human error include the following:
- Periodic implementation of training, education and awareness programmes for employees on their privacy and security obligations and the detection and reporting of threats to the security of personal data;
- Develop an awareness programme to remind employees of the most commons errors leading to personal data breaches and how to avoid them;
- Establish robust and effective data protection and privacy practices, procedures and systems;
- Evaluate privacy practices, procedures and systems to ensure continued effectiveness;
- Make proper access control policies and require users to follow them;
- Implement techniques to require user authentication when accessing sensitive personal data;
- Disable the company related account of a user as soon as they leave the company;
- Check unusual dataflow between the file server and employee workstations;
- Set up I/O interface security in the BIOS or through the use of software controlling the use of computer interfaces;
- Review employees’ access policy – log access to sensitive data and require users to input a business reason so that this is available for audits;
- Disable open cloud services;
- Forbid and prevent access to known open mail services;
- Disable print screen function in OS;
- Enforce a clean desk policy;
- Have automated locking of all computers after a certain amount of time of inactivity;
- Use mechanisms (e.g. [wireless] token to log on/open locked accounts) for fast user switches in shared environments; and,
- Use dedicated systems for managing personal data that apply appropriate access control mechanisms and that prevent human mistake, such as sending communications to the wrong subject. The use of spreadsheets and other office documents is not an appropriate means to manage client personal data.
What about lost or stolen devices and paper documents?
The loss or theft of portable devices is an all too frequent an occurrence.
The EDPB’s non-exhaustive advisable measures applying to different situations concerning lost or stolen devices and paper documents include the following:
- Turn on a device’s encryption, e.g. Bitlocker, Veracrypt or DM-Crypt;
- Use passcode/password on all devices. Encrypt all mobile electronic devices in a way that requires the input of a complex password for decryption;
- Use multi-factor authentication;
- Turn on the functionalities of highly mobile devices that allow them to be located in case of loss or misplacement;
- Use MDM (Mobile Devices Management) software/app and localization. Use anti-glare filters. Close down any unattended devices;
- If possible and appropriate to the data processing in question, save personal data not on a mobile device, but on a central back-end server;
- If the workstation is connected to the corporate LAN, do an automatic backup from the work folders provided it is unavoidable that personal data is stored there;
- Use a secure VPN, e.g. which requires a separate second factor authentication key for the establishment of a secure connection, to connect mobile devices to back-end servers;
- Provide physical locks to employees in order to enable them to physically secure mobile devices they use while they remain unattended;
- Regulate device usage both inside and outside the company;
- Use MDM (Mobile Devices Management) software/app and enable the remote wipe function;
- Use centralized device management with minimum rights for the end users to install software;
- Install physical access controls; and,
- Avoid storing sensitive information in mobile devices or hard drives. If there is need to access the company’s internal system, secure channels should be used such as previously stated.
What about unintentional errors when sending goods or emails?
Unintentional errors regarding the sending of goods or emails (“mispostal”) happens all too often – because little can be done after this happens prevention is even more important in these cases than for other types of data breaches.
The EDPB’s non-exhaustive advisable measures applying to different situations concerning mispostal include the following:
- Set exact standards (with no room for interpretation) for sending e-mails and letters;
- Provide training for personnel on how to send letters and e-mails;
- When sending e-mails to multiple recipients listed them in the “BCC” field by default;
- Require extra confirmation when sending e-mails to multiple recipients, when they are not listed in the “BCC” field;
- Apply the four-eyes principle;
- Automate addressing instead of doing this manually, with data extracted from an available and up-to-date database – the automatic addressing system should be regularly reviewed to check for hidden errors and incorrect settings;
- Apply message delay, e.g. the message can be deleted or edited within a certain time period after clicking the press button;
- Disable autocomplete when typing in e-mail addresses;
- Do awareness sessions for staff on the most common mistakes leading to a personal data breach; and,
- Do training and provide written guidance for staff on how to handle incidents leading to a personal data breach and who to inform – get the Data Protection Officer involved.
Organizations should at the absolute minimum consider having the following in place with regard to data breaches:
- A data breach plan – fire drill it and do so regularly;
- Template FAQs and emails to communicate data breaches to employees and customers – these will need to be turned around quickly;
- Regular testing of technical and organizational measures – get IT to provide regular updates;
- Staff training – make sure that: they can spot a data breach; and, they understand to raise the alarm as soon as possible, even if they’re not sure if an incident constitutes an actual data breach (better safe than sorry);
- A template press release – you may need to get it out fast;
- A template letter to inform your insurers about a data breach; and,
- A data breach log – update it regularly as events progress.
Bear in mind also that the EDPB guidance is only guidelines – a court has the final word.
We have written extensively about data breaches, including here https://www.corderycompliance.com/law-firm-gdpr-breach-fine/, here https://www.corderycompliance.com/dp-infringement-stadler-currys/, here https://www.corderycompliance.com/damages-minor-dp-infringement/, here https://www.corderycompliance.com/scope-restrictions-data-breach-comp-claims/, here https://www.corderycompliance.com/poland-gdpr-fine/, here https://www.corderycompliance.com/booking-com-breach-fine/, and here https://www.corderycompliance.com/data-breaches-and-transparency/.
We have written extensively about ransomware and data protection, notably here https://www.corderycompliance.com/war-effects-on-cybersecurity/, here https://www.corderycompliance.com/law-firm-gdpr-breach-fine/, here https://www.corderycompliance.com/ransomware-pay-or-not/, here https://www.corderycompliance.com/client-alert-ransomware-covid19-and-upgrading-defences/ and here https://www.corderycompliance.com/3rd-party-ransomware-risk-blackbaud/.
We have written about data breach compensation, including here https://www.corderycompliance.com/data-protection-breaches-and-compensation-litigation-issues-for-consideration/, here https://www.corderycompliance.com/lloyd-v-google-ruling/, and here https://www.corderycompliance.com/scope-restrictions-data-breach-comp-claims/.
We report about data protection and privacy issues here https://www.corderycompliance.com/category/data-protection-privacy/.
For our other news please see here https://www.corderycompliance.com/news/.
The EDPB guidelines can be found here https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012021-examples-regarding-personal-data-breach_en
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|