With the Heartbleed web vulnerability in the tech headlines, the practical guidance issued recently by EU regulators on when to alert individuals to data breaches (and on preventive steps to reduce the risk of breaches occurring in the first place) is particularly timely. Datonomy highlights some of the key recommendations on when to make the difficult judgement call over notification.
Why the new guidance? Does it apply to your organisation?
The recent Opinion issued by the EU’s Article 29 Working Party (the body made up of national data protection regulators) concerns the ever-topical issue of personal data breach notification. Specifically, it sets out the regulators’ collective view on when data controllers should alert data subjects to a personal data breach which is likely to adversely affect those individuals’ personal data or privacy.
The guidance sets out good practice for “all controllers”. Strictly speaking the obligation to report data breaches only applies to communications services providers under current rules; however in practice, handling a data breach is a business-critical issue for all organisations. The illustrations and in the guidance are drawn from a wide range of contexts. As well as analysing the triggers for notifying individuals that their data has been compromised, the guidance sets out practical steps to reduce the risk of breaches occurring and/ or to mitigate their severity. It is therefore a must-read for all in house counsel and their colleagues in the IT function – both in devising a data reach response plan, and in designing systems to reduce the risk of vulnerabilities in the first place.
A quick recap on breach notification obligations – current and future
- to report all data breaches to the regulator (within 24 hours); and
- to notify the data subject “without undue delay” when the breach is “likely to adversely affect the personal data or privacy” of that individual.
Notification to the affected individual is not required if the CSP has implemented “appropriate technological protection measures” to render the data unintelligible to any person who is not authorized to access it. The Regulation defines what constitutes “unintelligible”, by reference to encryption and hashing. It does not set out specific standards but it authorises the Commission to publish a separate indicative list of technological protection measures that are sufficient for that purpose
As Datonomy readers will be aware, these notification obligations are likely to be formally extended to all data controllers, regardless of sector, under the draft EU Data Protection Regulation.
However, notification of data breaches, both to the regulator and to affected individuals, is already an important practical consideration for all organisations from a damage limitation point of view. While not risk –free, voluntary notification to the regulator and to individuals may help to mitigate the sanctions imposed by a regulator where a data controller has suffered a data breach as a result of falling short of data security obligations under the UK Data Protection Act.
Wide ranging illustrations of when a breach “likely to adversely affect” a person’s privacy
The guidance sets out seven different and wide-ranging breach scenarios. These include: loss of laptops containing medical data and financial data; web vulnerabilities exposing life insurance and medical details; unauthorised access to an ISP’s customers’ details including payment details; disclosure of hard copy credit card slips; unauthorised access to subscribers’ account data both through unauthorised disclosure and through coding errors on a website. Whilst not exhaustive, these worked examples do provide useful analysis of the different types of harm which could trigger the obligation to notify individuals.
The guidance breaks the analysis down onto three different categories of data breach, and gives illustrations of the adverse privacy effects of each type. These are:
Confidentiality breach: unauthorised disclosure of or access to personal data which can lead to ID theft, phishing attacks, misuse of credit card details, compromise of other accounts or services which use the same log in details and a wide range of other detrimental effects on the individual’s family and private life and work prospects. Most of the examples focus on confidentiality breach.
Availability breach: accidental/ unlawful destruction or loss – which can lead to disruption and delay and even financial loss. (The illustrations of financial loss, and the consideration of “secondary effects” in a data availability context will also be of interest to those negotiating liability provisions in commercial deals which involve the handling or personal data.)
Integrity breach: the alteration of personal data – which can lead to serious consequences for medical and customer data.
The distinction is significant, particularly as the need to notify individuals about confidentiality breach can be mitigated or eliminated by the use of appropriate encryption – see below.
The guidance also stresses the need to consider likely “secondary effects” of a breach which may not appear in itself to adversely affect privacy. The example given here is of the hacking of a music service website. While the direct effect may be limited (leak of names, contact details and users’ musical preferences) it is the secondary effect – the fact that passwords have been compromised, and that users may use the same passwords across other accounts – which creates the need to notify individuals of the breach.
Prevention better than cure: practical steps to avoid the need to report breaches to individuals
In relation to each scenario, the guidance sets out examples of appropriate safeguards to reduce the risk of such breaches occurring in the first place and/ or mitigating the privacy impact. As noted above, notification to individuals is not required if a data controller can satisfy the regulator that the data has been rendered unintelligible. Common themes which run through these practical recommendations include:
- Encryption: First and foremost, the guidance emphasises the need for appropriate, state of the art encryption with a sufficiently strong and secret key
- Secure storage of passwords: salted and using a state of the art cryptographic hash function – simply hashing passwords is unlikely to meet the “unintelligible” data exemption for notification.
- Password policies: requiring stronger password choices for users, and requiring password resets whenever passwords are compromised.
- Vulnerability scanning: to reduce the risk of hacks and other breaches
- Regular back ups: to mitigate against the effects of availability breach
- Systems and process design: to reduce the risk of breach and /or mitigate its effects –the examples given include dissociation of medical information from individuals’names.
- Access controls: Limiting global access, and restricting access to databases on a “need to know” and “least privilege” basis – including minimising access given to vendors for system maintenance.
- Staff training e.g. on how to delete data securely data.
- Incident management policies: the guidance also highlights the importance of good incident management policies in limiting the duration and effects of data breaches.
Be proactive and plan!
The new Opinion provides organisations with helpful guidance on making the difficult judgement call over when to notify customers and other individuals about breaches of their personal information. Perhaps even more importantly, it sets out some of the minimum preventive standards that regulators expect data controllers to adopt in order to demonstrate that they have implemented “appropriate” security measures under the current rules. The Opinion urges data controllers to “be proactive and plan appropriately”. The guidance will help organisations decide when they need to alert individuals – but it is having a crisis management team and a (rehearsed) action plan in place that will enable a calm and swift response, should a data breach arise.