How can companies prevent some of the most common data breach scenarios and what obligations does the GDPR impose on them if one materialises? The European Data Protection Board (EDPB) published its Guidelines providing for a detailed assessment of distinct data breach scenarios most commonly encountered in the daily practice of the European data protection supervisory authorities. We explain the most important cases and show how companies can better protect themselves against them.
Update: On 14 December 2021, the EDPB adopted version 2.0 of the Guidelines on examples regarding data breach notification discussed in this article. Content-wise, the final version of the Guidelines does not differ from the version for public consultation. This article hence remains valid also under the new version of the Guidelines.
Why were the new Guidelines on data breach notification adopted?
In October 2017, the Art. 29 Working Party issued Guidelines on personal data breach notification, providing general guidance on handling data breaches according to the GDPR. The new Guidelines on examples regarding data breach notification, which the Art. 29 Working Party’s successor, the European Data Protection Board, adopted and sent into public consultation on 14 January 2021, supplement the initial Guidelines by drawing on the practical experiences of the supervisory authorities from the first few years of the GDPR application.
The new Guidelines are case-based and cover the most common data breach types, such as ransomware and data exfiltration attacks, human error and loss of data carriers. Companies will find the Guidelines useful when deciding how to handle such data breaches and what factors to consider during risk assessment.
In particular, the Guidelines might help in the assessment
- whether the competent supervisory authority should be notified (this is the case if the breach results or is likely to result in a risk to the rights and freedoms of individuals) and
- whether the individuals should be notified as well (in case of a high risk to their rights and freedoms).
What common data breach scenarios do the Guidelines focus on?
A frequent cause of data breaches are ransomware attacks, where a malicious code encrypts the company’s data. Subsequently, the attacker requests a ransom in exchange for the decryption code, often using cryptocurrencies in order to hinder traceability. To infiltrate into the company’s computer system, the attackers usually exploit its vulnerabilities in the company’s system. Often, attackers use a Trojan horse disguised as a legitimate file that the user is tricked to download or open if attached to an e-mail.
According to the EDPB, whether a ransomware attack presents a risk to the rights and freedoms of data subjects and hence must be notified to a supervisory authority depends on multiple factors. Most importantly, the company has to assess whether a proper data backup is available and whether the perpetrator managed to exfiltrate the data in addition to encrypting them.
According to the Guidelines, a breach revealing identity documents or individuals’ financial data always presents a high risk, let alone in combination, as the perpetrator could use these data for identity theft or fraud.
Companies can most effectively minimise the risks to the confidentiality of data by employing state-of-the-art encryption at rest. Namely, even if the attacker manages to exfiltrate the data, proper encryption would hinder usage of the data. On the other hand, exfiltration of unencrypted data could result in the attacker (mis)using the data, meaning that the company has to take additional measures to minimise the risks for the affected individuals.
However, ransomware attacks primarily aim at compromising data availability. As a countermeasure, companies should have proper, up-to-date and separately stored backups enabling them to restore the affected data in a timely manner after an attack.
Whether such temporary unavailability of data will result in a risk to individuals will depend on its consequences for individuals. For example, the consequences of data unavailability lasting a few hours are less severe in the case of an online shop compared to a hospital that has been attacked and has to postpone medical treatments.
What measures can companies take to mitigate the risks of ransomware attacks?
The EDBP provides a non-exhaustive list of technical and organisational measures companies can employ to prevent ransomware attacks or mitigate their consequences:
- having an up-to-date, secure and tested backup procedure, whereby the backups are kept separately from operational data storage,
- strong encryption and authentication,
- keeping the firmware, operating system and application software up to date and having reasonable IT security measures in place,
- having an effective, up-to-date anti-malware software, firewall and intrusion prevention and detection system, and directing network traffic through these systems even in case of home office or mobile work (e.g. by using VPN connections),
- segmentation of data systems to avoid propagation of the malware after an attack,
- regular vulnerability and penetration testing, and
regularly training employees on the methods of recognising and preventing such attacks.
Data exfiltration attacks
Data exfiltration attacks exploit vulnerabilities in services offered over the internet and typically aim at copying, exfiltrating and abusing personal data to a malicious end. As such, they usually pose a risk to data confidentiality and integrity.
The EDPB considers an exfiltration of around 200 online job application forms, even if they do not contain special categories of data, as posing a high risk to individuals. Namely, the attacker could easily misuse such data in a number of ways. On the other hand, the exfiltration of hashed passwords in combination with random usernames does not pose any risk to the affected individuals, and a notification of the breach is not mandatory. A higher risk would materialise if users used their names as usernames, even more so if the type of the website revealed special categories of data (e.g. a website of a trade union).
Nonetheless, as a matter of good practice, the EDPB strongly encourages the controllers to inform data subjects that their passwords were exfiltrated in any case, i.e. regardless if the conditions of Art. 34 GDPR are fulfilled, so that they can take necessary steps to avoid further damage.
How can companies protect themselves from exfiltration attacks?
Companies can most effectively protect themselves from exfiltration attacks by maintaining a high level of security of the company’s systems. The EDPB suggests employing a combination of the following measures:
- state-of-the-art encryption and key management, especially when passwords, sensitive or financial data are being processed,
- keeping the software and firmware up to date and having effective and regularly updated IT security measures in place,
- using strong authentication methods (e.g. two-factor authentication),
- filtering user input and employing brute force prevention measures (e.g. limiting number of attempts to login),
- systematic IT security audits, vulnerability assessments and penetration testing, and
- having backups available to restore the data if their integrity was compromised.
Internal human risk source
Intentional and unintentional data breaches caused by employees are both very common and difficult to combat by adopting appropriate measures. One specific factor for the risk assessment in this context is the trustworthiness of the data recipient. For example, a data controller cannot trust an already terminated employee who makes a copy of a database with contact data to not misuse the database within or after her employment period. Hence, a risk to the affected individuals exists and the controller should notify the supervisory authority. On the other hand, if non-sensitive data of a dozen of individuals are accidentally transmitted to a trusted third party that immediately signals the mistake to the controller and confirms the deletion of the data, no risk has materialised and a notification is not necessary.
What measures can companies implement to mitigate risks emanating from the internal human risk source?
To mitigate internal human risks for data breaches, companies should consider adopting a combination of following measures:
- periodic training and raising awareness of employees,
- having access control policies in place, regularly reviewing employees’ access policy and using dedicated systems for managing personal data that enforce them,
- limiting access to certain types of data,
- checking unusual data flows between the file server and employee workstations,
- enforcing a clean desk policy,
- automated locking of computers after a certain period of inactivity, and
- in case a breach has already occurred, taking appropriate legal action and/or requesting the attacker to stop using and delete the affected data.
Lost or stolen devices and documents
Loss or theft of portable devices or documents is another common data breach type. Companies should take appropriate measures in advance to prevent such data breaches. To this end, employing appropriate technical measures can lower the risk considerably.
For example, if an encrypted and password-protected tablet containing personal information is stolen, whereby a backup of the data is readily available and the data stored on the device is wiped remotely, a risk to affected individuals is unlikely to materialize. A notification is not necessary.
On the contrary, if the device lacks both encryption and password protection, the risk is high as the perpetrator could use the data for identity fraud. Both the supervisory authority and the data subjects need to be informed. Similarly, a theft of paper files containing sensitive data, whereby no backup exists, would result in a high risk for the affected individuals.
How can companies lower the risks of breaches following a theft or loss of devices?
To lower the probability of a data breach following a loss or theft of a device or documents, the EDBP suggests a combination of the following measures:
- device encryption,
- using adequate password protection and possibly multi-factor authentication on all devices,
- using Mobile Devices Management software enabling the localisation and remote wiping of devices in case of loss,
- saving data on a central back-end server rather than on a mobile device and conducting automatic backups,
- using a secure VPN,
- regulating device usage inside and outside the company, and
- providing safe storage facilities for files and portable devices.
Mispostal of personal data is a data breach usually committed unintentionally. The risk level will depend on the content and the recipient of the mispostal. For example, a risk resulting from a retail company mixing up two packing bills and sending them to wrong recipients is low. Apart from asking the recipients to destroy or delete the data, the company does not have to take any further steps. On the other hand, if an insurance company sends a contribution policy letter to a wrong recipient, the risk is already higher. The EDPB considers that there is a low to medium risks to the individual, meaning that the company has to notify the supervisory authority. Finally, wrongfully sending a letter containing sensitive data to a high number of recipients would result in a high risk to the affected individuals, meaning that both the authority and the affected individuals need to be informed.
How can companies lower the risk of data breaches following mispostal?
According to the EDPB, controllers can reduce the risks of mispostal by applying a combination of the following measures:
- setting precise standards for sending e-mails/letters,
- adequate training of employees and raising of awareness,
- when sending an e-mail to multiple recipients, having them listed in the “bcc” field by default, and
- applying message delay.
What do the EDPB Guidelines mean for companies handling personal data?
The new EDPB Guidelines can help companies dealing with personal data in two ways. They provide useful recommendations not only regarding the technical and organisational measures they should implement to prevent data breaches, but also regarding the appropriate response to a data breach once the threat materialises. As pursuant to Art. 33 GDPR, controllers have to notify a data breach to the competent supervisory authority no later than 72 hours after having become aware of it; time is of the essence in such cases. The Guidelines can help companies swiftly take the right decision, thereby saving valuable time for urgent steps to remediate a breach and protect the exposed data.
When dealing with data breaches, companies should bear in mind two additional issues.
First, according to Art. 33 GDPR, regardless of whether a data breach triggers notification obligations, every data breach has to be documented. When assessing a data breach, supervisory authorities might first have a look into the record of past data breaches and measures taken thereafter.
Second, a data breach is not a distant possibility, but an incident that sooner or later every company could face. Therefore, companies should not only focus on measures trying to prevent a data breach, but also have procedures and teams in place for the case that they actually experience one. Adopting a Data Breach Policy would be a good starting point on this journey