Blog » DATA BREACH – NOTIFY OR NOT, THAT IS THE QUESTION
DATA BREACH – NOTIFY OR NOT, THAT IS THE QUESTION
09 April 2018
If data leakage, data theft or other breach happens at your company and it is likely to result in a risk to the data subjects’ rights, you have to report it to the supervisory authority. If this risk is likely to be high you shall as well inform the affected persons. In this article we mention 5 things that you need to consider when you decide about whether you should notify the authority or the data subjects.
1. The characteristics of your organization
When assessing the risk of a data breach it is worth to start with your own organization, particularly with your business activities and the personal data you hold.
Naturally, the risk of a data breach is not the same in the case of a producer company who engages in business to business transactions as in case of an e-shop who stores financial data of individuals.
To give another example imagine that due to a cyber-attack your data records are not available for several hours. If it prevents you from sending your weekly newsletter, probably the affected persons will not consider it as a tragedy. However, if you are a health service provider and you cannot access your patients’ medical records for hours, it may have serious consequences to them.
2. The type of the breach
The type of the particular data breach may affect how severe its consequences are. However, there are not exact ‘rules’ as we cannot declare for sure that a confidentiality breach when data is accessed by unauthorized persons is riskier than an availability breach when you cannot access your data.
For example, if you are a party organizer and your employee accidently deleted your VIP contact list, it may be a big trouble for you but probably not as big for your customers. However, if this VIP contact list is put to a public website I can imagine that your customers would be very upset as every journalist will know how to reach them.
On the other hand, if medical information has been accessed by unauthorized persons, it may have different consequences for the patient compared to an availability breach where the patient’s medical records have been irreversibly deleted.
3. The nature and sensitivity of the personal data
The key factor when assessing the risk is the type and sensitivity of the personal data that has been affected by the breach.
As a main rule the more sensitive the compromised personal data is (eg. fingerprints) the higher the risk of the data breach is. The disclosure of a name and an e-mail address is not likely to cause substantial damage under normal circumstances.
If the breach involves a combination of personal data, for example identity and financial details, it can have probably more serious consequences as if only a single data (eg. home address) is disclosed.
4. The severity of consequences for data subjects
The potential consequences of a data breach may be damage to reputation, humiliation or in more serious cases even fraud or identity theft.
The possible consequences may vary depending on the nature of the compromised data (eg. sensitive data) or in case of a confidentiality breach on the person of the recipient.
The incident is more serious if the personal data gets into the hands of hackers whose intentions are probably malicious. Of course, the accidental disclosure to an unauthorized recipient is also considered as a data breach, but if this recipient informs you and cooperates, harm to the data subject is less likely.
5. The number of affected data subjects
The number of the individuals affected by the data breach influences its level of the risk. Generally, the higher the number of the affected data subjects is, the more serious the data breach is.
You can imagine that the risk is not the same if one employee’s records have been sent to a wrong department as if your whole customer list including contact and financial details is accessed by an unauthorized person.
However, in certain cases a data breach can have a severe impact to even one data subject, for example if his extremely sensitive data (eg. sexual orientation) has been compromised.
To sum it up, when you are deciding about whether to notify the supervisory authority about the data breach, you should consider at least the above aspects. However, you have to bear in mind, that there is no golden rule, all cases must be examined individually.
Hungary: Steps Towards Differentiating Between Domestic and International Procedural Public Policy
Drawing a well-defined line of demarcation between domestic and international public policy when enforcing foreign arbitral awards sends a clear pro-arbitration message from national courts in any jurisdiction. Does Hungarian case law come close to this level of sophistication? This post analyses this question in the context of procedural public policy, and it does so based on two recent appellate court decisions rendered in the context of enforcement of arbitral awards in accordance with the New York Convention.Read more »
EU ISSUED NEW GDPR STANDARD CONTRACTUAL CLAUSES – WHEN AND HOW TO USE THEM?
During summer 2021, the European Commission published two new "standard contractual clauses" on data protection regulation, which can be applied on the one hand, to the legal relationship between data controllers and data processors covered by the GDPR , and to the transfers of personal data to third countries, on the other. In this article, we answer the questions: what these SCCs regulate, how do they differ from the previous SCCs and how can your company use the new SCCs?Read more »
CAN THE NON-COMPETITION AGREEMENT BE VALID WITHOUT A PRECISE COMPENSATION IN HUNGARY?
The non-compete agreement may provide protection of the legitimate economic interests of the employer even after the termination of employment relationship. However, the Hungarian Labour Code lays down strict requirements for the agreement. In our article we analyse a recent decision of the Supreme Court about the importance of the precise determination of the compensation, so you as an employer can conclude a valid non-compete agreement.Read more »