Blog » DATA BREACH – NOTIFY OR NOT, THAT IS THE QUESTION
DATA BREACH – NOTIFY OR NOT, THAT IS THE QUESTION
09 April 2018
If data leakage, data theft or other breach happens at your company and it is likely to result in a risk to the data subjects’ rights, you have to report it to the supervisory authority. If this risk is likely to be high you shall as well inform the affected persons. In this article we mention 5 things that you need to consider when you decide about whether you should notify the authority or the data subjects.
1. The characteristics of your organization
When assessing the risk of a data breach it is worth to start with your own organization, particularly with your business activities and the personal data you hold.
Naturally, the risk of a data breach is not the same in the case of a producer company who engages in business to business transactions as in case of an e-shop who stores financial data of individuals.
To give another example imagine that due to a cyber-attack your data records are not available for several hours. If it prevents you from sending your weekly newsletter, probably the affected persons will not consider it as a tragedy. However, if you are a health service provider and you cannot access your patients’ medical records for hours, it may have serious consequences to them.
2. The type of the breach
The type of the particular data breach may affect how severe its consequences are. However, there are not exact ‘rules’ as we cannot declare for sure that a confidentiality breach when data is accessed by unauthorized persons is riskier than an availability breach when you cannot access your data.
For example, if you are a party organizer and your employee accidently deleted your VIP contact list, it may be a big trouble for you but probably not as big for your customers. However, if this VIP contact list is put to a public website I can imagine that your customers would be very upset as every journalist will know how to reach them.
On the other hand, if medical information has been accessed by unauthorized persons, it may have different consequences for the patient compared to an availability breach where the patient’s medical records have been irreversibly deleted.
3. The nature and sensitivity of the personal data
The key factor when assessing the risk is the type and sensitivity of the personal data that has been affected by the breach.
As a main rule the more sensitive the compromised personal data is (eg. fingerprints) the higher the risk of the data breach is. The disclosure of a name and an e-mail address is not likely to cause substantial damage under normal circumstances.
If the breach involves a combination of personal data, for example identity and financial details, it can have probably more serious consequences as if only a single data (eg. home address) is disclosed.
4. The severity of consequences for data subjects
The potential consequences of a data breach may be damage to reputation, humiliation or in more serious cases even fraud or identity theft.
The possible consequences may vary depending on the nature of the compromised data (eg. sensitive data) or in case of a confidentiality breach on the person of the recipient.
The incident is more serious if the personal data gets into the hands of hackers whose intentions are probably malicious. Of course, the accidental disclosure to an unauthorized recipient is also considered as a data breach, but if this recipient informs you and cooperates, harm to the data subject is less likely.
5. The number of affected data subjects
The number of the individuals affected by the data breach influences its level of the risk. Generally, the higher the number of the affected data subjects is, the more serious the data breach is.
You can imagine that the risk is not the same if one employee’s records have been sent to a wrong department as if your whole customer list including contact and financial details is accessed by an unauthorized person.
However, in certain cases a data breach can have a severe impact to even one data subject, for example if his extremely sensitive data (eg. sexual orientation) has been compromised.
To sum it up, when you are deciding about whether to notify the supervisory authority about the data breach, you should consider at least the above aspects. However, you have to bear in mind, that there is no golden rule, all cases must be examined individually.
CAN THE EMPLOYER EXPAND THE EMPLOYEES’ DUTIES WITHOUT CHANGING THE JOB DESCRIPTION IN HUNGARY?
The position and tasks of the employee are one of the key elements of the employment contract and are typically recorded in the job description. It is often a matter of dispute between the parties whether the employer can unilaterally modify the job description at all, and if so, to what extent. In a recent court decision, a Hungarian appellate court addressed the above question in a situation where the employer supplemented the employee's tasks with new tasks similar to his existing tasks. In this article, we analyse the recent decision on this matter.Read more »
CAN A HARSH FACEBOOK COMMENT BE A LAWFUL GROUND FOR DISMISSAL IN HUNGARY?
Social media platforms significantly changed the ways how people express their opinions: sharing views became easier than ever. On the one hand, this is positive, but on the other hand, it is also dangerous in the employment context, as the employee's opinion may be prejudicial to the employer's interests. A recent decision of the Hungarian Supreme Court gives answer to the question whether the employer can dismiss the employee for expressing his opinion on Facebook.Read more »
NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
With the Schrems II judgment, which invalidated the Privacy Shield, the CJEU (Court of Justice of the European Union) make it more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. However, the new EU-US Data Privacy Framework (or “Framework”) adopted on 10 July aims to put an end to this situation. But how does the Framework make data transfers between the EU and US easier? In this short article, we explain the basics of the new Framework and answer the above question.Read more »