GDPR Technical Series #5: Personal Data Breach Detection and Notification on Feb 14, 2019
In the previous post of this GDPR series, we discussed personal data and some of the challenges in accurately finding such data. Now we turn our attention to another important requirement in GDPR: personal data breach notification.
First, some clarifications in terminology are in order. Here we clarify the differences between the following terms:
- Security Incident or Hack – a security incident or hack could be any break-in to or exposure of an organization’s systems and resources. Not all security incidents have a privacy impact. The majority do not.
- Data Exposure or Data Leak – a data exposure or data leak is an inadvertent exposure of data such that it is available to people other than those for whom it is intended. Such a leak or exposure could be caused by a missing or misconfigured security rule or by an insider inadvertently sending information outside the organization. Once discovered, a data leak has to be treated the same as a data breach, as the impact could be the same.
- Data Breach – a data breach is caused by an unauthorized actor getting access to data. The data might or might not be personal data, but is still considered a data breach.
- Personal Data Breach – A personal data breach is a data breach that includes data associated with individuals. This is the type of breach that is governed by the GDPR breach notification requirements.
GDPR’s Article 33 addresses breach notification, stating, “in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority…”
Article 33 also requires the controller to give as much information about the nature and impact of the breach as possible at notification time. Most importantly, the controller needs to report the approximate number of data subjects (individuals, such as customers) affected, providing the number is available or can be approximated.
Detecting a personal data breach goes beyond just standard monitoring. Standard monitoring does not take into account the nature of the data that has been breached. Typical monitoring products raise alerts on unusual and unauthorized access to particular resources – computer systems, databases etc. Standard monitoring does not specifically analyze the nature of the data whose access is being monitored.
To be effective at detecting and alerting unauthorized access to personal data, the controller has to undertake an effort first to find and keep an inventory of the location of the personal data elements in an organization. Without prior deep scanning for personal data, monitoring alerts will result in a lot of false positives. Avoiding time-consuming false positives in monitoring is a key reason why an integrated scanning and monitoring solution would be ideal for controllers to put in place for the detection of personal data breaches required by GDPR.
The second reason for a controller to perform a comprehensive scan for personal data in the context of breach notification is to comply with the GDPR requirement to include details about the breach as part of the notification. The number of data subjects affected by the breach is an important item to report, yet getting counts of the number of unique data subjects affected by a breach is a non-trivial exercise.
Also useful for controllers affected would be the types of personal data the breach has impacted. Identifying personal data types enables the controller to take corrective action as early as possible. For example, in the case of the 2017 Equifax breach, the list of personal data elements the company originally reported as having been stolen was expanded in early 2018. The new data elements revealed as stolen included Taxpayer Identification Numbers, issue dates and state of issuance for drivers’ licenses, and email addresses. The new revelations significantly broadened the reported impact of the breach. An accurate scan and inventory of the locations of personal data would have reduced the need for the company to have to expand the list of stolen personal data items.
Two key aspects of breach notification are the controller reporting the number of unique impacted data subjects as well as identifying what types of personal data elements were exposed. Data subjects and their rights play a central role in GDPR. We will turn to a discussion of data subject rights in the next post of this series.