Blog » DATA BREACH – NOTIFY OR NOT, THAT IS THE QUESTION
DATA BREACH – NOTIFY OR NOT, THAT IS THE QUESTION
09 April 2018
If data leakage, data theft or other breach happens at your company and it is likely to result in a risk to the data subjects’ rights, you have to report it to the supervisory authority. If this risk is likely to be high you shall as well inform the affected persons. In this article we mention 5 things that you need to consider when you decide about whether you should notify the authority or the data subjects.
1. The characteristics of your organization
When assessing the risk of a data breach it is worth to start with your own organization, particularly with your business activities and the personal data you hold.
Naturally, the risk of a data breach is not the same in the case of a producer company who engages in business to business transactions as in case of an e-shop who stores financial data of individuals.
To give another example imagine that due to a cyber-attack your data records are not available for several hours. If it prevents you from sending your weekly newsletter, probably the affected persons will not consider it as a tragedy. However, if you are a health service provider and you cannot access your patients’ medical records for hours, it may have serious consequences to them.
2. The type of the breach
The type of the particular data breach may affect how severe its consequences are. However, there are not exact ‘rules’ as we cannot declare for sure that a confidentiality breach when data is accessed by unauthorized persons is riskier than an availability breach when you cannot access your data.
For example, if you are a party organizer and your employee accidently deleted your VIP contact list, it may be a big trouble for you but probably not as big for your customers. However, if this VIP contact list is put to a public website I can imagine that your customers would be very upset as every journalist will know how to reach them.
On the other hand, if medical information has been accessed by unauthorized persons, it may have different consequences for the patient compared to an availability breach where the patient’s medical records have been irreversibly deleted.
3. The nature and sensitivity of the personal data
The key factor when assessing the risk is the type and sensitivity of the personal data that has been affected by the breach.
As a main rule the more sensitive the compromised personal data is (eg. fingerprints) the higher the risk of the data breach is. The disclosure of a name and an e-mail address is not likely to cause substantial damage under normal circumstances.
If the breach involves a combination of personal data, for example identity and financial details, it can have probably more serious consequences as if only a single data (eg. home address) is disclosed.
4. The severity of consequences for data subjects
The potential consequences of a data breach may be damage to reputation, humiliation or in more serious cases even fraud or identity theft.
The possible consequences may vary depending on the nature of the compromised data (eg. sensitive data) or in case of a confidentiality breach on the person of the recipient.
The incident is more serious if the personal data gets into the hands of hackers whose intentions are probably malicious. Of course, the accidental disclosure to an unauthorized recipient is also considered as a data breach, but if this recipient informs you and cooperates, harm to the data subject is less likely.
5. The number of affected data subjects
The number of the individuals affected by the data breach influences its level of the risk. Generally, the higher the number of the affected data subjects is, the more serious the data breach is.
You can imagine that the risk is not the same if one employee’s records have been sent to a wrong department as if your whole customer list including contact and financial details is accessed by an unauthorized person.
However, in certain cases a data breach can have a severe impact to even one data subject, for example if his extremely sensitive data (eg. sexual orientation) has been compromised.
To sum it up, when you are deciding about whether to notify the supervisory authority about the data breach, you should consider at least the above aspects. However, you have to bear in mind, that there is no golden rule, all cases must be examined individually.
HOW NOT TO CONCLUDE AN INTERNATIONAL SALES CONTRACT? – OUR CLIENT’S CASE IN FRONT OF THE CURIA
Can the raw material supplier be liable for defects, if the specification is incomplete, but he knows what the end-product is? Who has to prove this under the Vienna Convention on the International sale of goods? These questions were decided by the Hungarian Supreme Court in the case of our Italian client, against a Hungarian company.Read more »
GDPR PENALTY FORECAST – OUR PRESENTATION AT BELGABIZ
How often did the Hungarian Data Protection Authority impose penalties in the last five years? What was the average amount of penalties? Will be there any change after 25th May 2018, when the GDPR comes into force? We addressed these questions in our presentation made at BELGABIZ.Read more »
HOW NOT TO USE CCTV AT WORKPLACE? – 15 MILLION FINE FOR AUCHAN HUNGARY
Auchan Hungary started this year with a HUF 15 Million data breach fine for operating CCTV at workplace in breach of data protection principles. Given that CCTV lies in the heart of GDPR entering into force in May 2018, it is worth to learn from the Auchan case so that you can avoid a similar penalty in Hungary.Read more »