Blog » MAYDAY, MAYDAY – DATA BREACH INCIDENT
MAYDAY, MAYDAY – DATA BREACH INCIDENT
26 March 2018
You may think that a data breach incident can only be a consequence of a cybercriminal attack like malware or ransomware. However, among particular circumstances a simple human error, like losing a company laptop can be considered as a data breach. In this short article we explain you what exactly a data breach is and how to handle such an unwanted situation to be GDPR proof.
1. What is a personal data breach?
To understand what a data breach incident is you may remember the acronym ‘CIA’. And here I do not mean the US Central Intelligence Agency, but it stands for confidentiality, integrity and availability. Indeed, personal data breach is when the confidentiality, the integrity and / or the availability of personal data is concerned.
Confidentiality is infringed when the data is disclosed to or accessed by an unauthorised person, for example if due to a hacker attack your customer list is published on a publicly available website.
An integrity breach happens if the personal data is unauthorizedly or accidently altered, like in the case when a patient’s blood type is changed in a medical record which of course may have serious consequences.
In case of an availability breach, access to personal data is lost or the data is destroyed. This is the case when you lose or crush a USB stick which contained the only copy of your contact list.
2. Be able to detect a data breach
The basis of handling a data breach correctly is that you are able to recognize one. In order to do so, you need to have internal processes in place.
Your processes shall include technical measures for example a firewall which can filter traffic or a log analyser that may filter unauthorised access.
Organizational measures are as important as technical ones. For instance, if your employees are not aware that they immediately need to report the loss of a company laptop, you will not be in a situation to decide whether this is an incident and make further steps if necessary.
3. Notify the supervisory authority
Once you have detected a data breach, you must decide whether you shall notify the supervisory authority or not. This should be a very quick decision as in default you need to notify the supervisory authority within 72 hours after you became aware of the breach.
As a controller you can only avoid notifying the supervisory authority if the data breach is unlikely to result in a risk to data subjects’ rights and freedoms. This is the case for example when a USB stick was stolen on which you stored a copy of employee records in an encrypted folder.
In case there is a risk that data subjects’ rights can be infringed due to the data breach you have to notify the supervisory authority without undue delay. For instance, if login names and passwords of your customers are put to a public website by a hacker, there is no doubt that you must report it to the supervisory authority.
4. Notify the data subjects
In certain cases, you not only need to notify the supervisory authority but also the data subjects affected by the data breach.
This is the case when the data breach is likely to result in a high risk to the individuals’ rights and freedoms. To remain at the previous example if the login names and passwords of your customers are put to a public website due to a hacker attack, you must inform them so that they would be able to change their password.
The method of informing the data subjects depends on the particular circumstances of the case. Direct communication to the affected person (eg. e-mail or SMS) is preferred unless it would cause a disproportionate effort, for example because of the huge number of the data subsects. In the latter case public communication, like a statement on the company webpage may be applied.
5. Document the data breaches
Controllers need to record all data breaches and the documentation may be examined by the supervisory authority.
Your data breach incident records must contain at least the description of the breach, the affected personal data, the effects of the breach and the remedial actions.
It is advised to include a short justification in case the breach was not reported to the supervisory authority or if you decided not to inform the data subjects. In case you notified the supervisory authority (or also the affected individuals) it is a good practice to add when and how the notification happened.
To sum up the above, even an unintended human mistake can have serious consequences to personal data and thus lead to a data breach incident. To handle those situations correctly, a sufficient incident response plan will be a must in the future in order to be GDPR-ready.
CAN THE EMPLOYER EXPAND THE EMPLOYEES’ DUTIES WITHOUT CHANGING THE JOB DESCRIPTION IN HUNGARY?
The position and tasks of the employee are one of the key elements of the employment contract and are typically recorded in the job description. It is often a matter of dispute between the parties whether the employer can unilaterally modify the job description at all, and if so, to what extent. In a recent court decision, a Hungarian appellate court addressed the above question in a situation where the employer supplemented the employee's tasks with new tasks similar to his existing tasks. In this article, we analyse the recent decision on this matter.Read more »
CAN A HARSH FACEBOOK COMMENT BE A LAWFUL GROUND FOR DISMISSAL IN HUNGARY?
Social media platforms significantly changed the ways how people express their opinions: sharing views became easier than ever. On the one hand, this is positive, but on the other hand, it is also dangerous in the employment context, as the employee's opinion may be prejudicial to the employer's interests. A recent decision of the Hungarian Supreme Court gives answer to the question whether the employer can dismiss the employee for expressing his opinion on Facebook.Read more »
NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
With the Schrems II judgment, which invalidated the Privacy Shield, the CJEU (Court of Justice of the European Union) make it more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. However, the new EU-US Data Privacy Framework (or “Framework”) adopted on 10 July aims to put an end to this situation. But how does the Framework make data transfers between the EU and US easier? In this short article, we explain the basics of the new Framework and answer the above question.Read more »