6 minute read
B. Examples of personal data breaches and who to notify
The following non-exhaustive examples will assist controllers in determining whether they need to notify in different personal data breach scenarios. These examples may also help to distinguish between risk and high risk to the rights and freedoms of individuals.
Example Notify the superv isory authority Notify the data subj ec t Notes/rec ommendations
Advertisement
i A controller stor ed a backup of an archive of personal data encrypted on a USB key. The key is stolen during a break-in. No. No. As long as the data are encrypted with a state of the art algorithm, backups of the data exist the unique key is not compromi sed, and the data can be restor ed in good time, this may not be a reportable breach. Howe ver i f it is later compromi sed, notification is required.
ii A controller maintains an online ser vic e. As a re sult of a cyber attack on that servi ce, personal data of individuals are exfiltrat ed.
The controller ha s custom ers in a single M emb er State.
iii A brief pow er outage lasting se veral minutes at a controller s call centre m eaning custom ers are unable to call the controller and acces s their r ecords.
iv A controller suf fer s a ransomwar e attack which result s in all data being encrypted. No backups are available and the data cannot be restor ed. On inve stigation, it become s cl ear that the ransomwar e s only functionality Ye s, report to the supervi sory authority if there are like ly consequenc es to individuals. Ye s, report to individuals depending on the nature of the personal data affect ed and if the se verity of the lik ely consequenc es to individuals is high.
No. No. This i s not a notifiable breach, but still a recordable incident under Article 33 (5).
Appropriate records should be maintained by the controller.
Ye s, report to the supervi sory authority, if there are lik ely consequenc es to individuals as this i s a los s of availability. Ye s, report to individuals, depending on the nature of the personal data affect ed and the possible e ffe ct of the lack of availability of the data, as well as other likely consequenc es. If there wa s a backup available and data could be restor ed in good time, this would not need to be reported to the supervi sory authority or to individuals as there would have b een no permanent los s of availability or confidentiality. Howe ver, i f the supervi sory authority became a ware of the
was to encrypt the data, and that there was no other malwar e pres ent in the syste m. incident by other means, it may consider an inve stigation to ass es s compliance with the broader security requirem ents of Arti cle 3 2.
v An individual phones a bank s call centre to report a data breach. The individual has recei ved a monthly statem ent for som eone el se.
The controller undertakes a short inve stigation (i.e. complet ed within 24 hours) and establi shes with a reasonable confidence that a personal data breach has occurred and whether it has a syste mic flaw that may mean other individuals are or might be aff ected.
vi A controller operates an online marketplace and has custom ers in multiple Me mber
States. The marketplace suff er s a cyber-attack and usernames, password s and purchase history are published online by the attacker.
vii A webs ite hosting company acting as a data processor identifie s an error in the code which controls user authorisation. The eff ect of the f law means that any user Ye s.
Ye s, report to lead supervi sory authority if involv es cro s s-border proces sing.
As the proce ssor, the webs ite hosting co mpany must notify its aff ected cli ents (th e controllers ) without undue delay.
Assu ming that the webs ite hosting Only the individuals affect ed are notifi ed if there is high ri sk and it is clear that others w ere not affected. If, after further inve stigation, it is identifi ed that more individuals are affect ed, an update to the supervi sory authority must be made and the controller takes the additional step of notifying other individuals if there is high ri sk to them.
Ye s, as could lead to high risk.
If there i s likely no high risk to the individuals they do not need to be notified. The controller should take action, e.g. by forcing password r es ets of the affect ed accounts, as well a s other steps to m itigate the risk.
The controller should also consider any other notification obligations, e.g. under the NIS Directi ve as a digital ser vic e provider.
The w ebsit e hosting company (proces sor) mu st consider any other notification obligations (e.g . under the NIS Directi ve as a digital ser vic e provider ).
If there i s no evidenc e of this vulnerability being
can acces s the account details of any other user
viii Medical records in a hospital are unavailable for the period of 3 0 hours due to a cyberattack.
ix Personal data of a large number of students are mistakenly sent to the wrong mailing list with 10 00+ recipient s.
x A direct marketing e-mail is sent to recipient s in the to: or cc: field s, thereby enabling each recipi ent to se e the emai l address of other recipient s. company has conducted its own inv esti gation the affect ed controller s should be reasonably confident as to whether each has suf fer ed a breach and therefore i s likely to be consider ed as having becom e aware once they have been notified by the hosting company (the proces sor). The controller then must notify the supervi sory authority Ye s, the hospital is obliged to notify as highrisk to patient s we llbeing and privacy may occur.
Ye s, report to superv isory authority.
Ye s, notifying the supervi sory authority may be obligatory if a large number of individuals are af fect ed, if sen siti ve data are rev ealed ( e.g. a mailing list of a psychotherapist ) or if other factors present high risk s ( e.g. the mail contains the initial password s). Ye s, report to the affect ed individuals.
Ye s, report to individuals depending on the scope and type of personal data involved and the se verity of pos sible consequenc es.
Ye s, report to individuals depending on the scope and type of personal data involved and the se verity of pos sible consequenc es. exploited with any of its controllers a notifiable breach may not have occurred but it is likely to be recordable or be a matter of non-compliance under Article 32 .
Notification may not be nece ssary if no s ensiti ve data is rev ealed and if only a minor number of e mail address es ar e re veal ed.
