How to deal with a data breach from a legal perspective

Cyber-attacks are becoming increasingly sophisticated. Despite the increasing complexity of some data breaches and the shift in tone of the surrounding media attention, it remains possible to regain the trust of stakeholders if a data breach is well managed.

Why is it so important to establish the point at which the organisation becomes aware of the breach?

Prioritise establishing the point at which the organisation becomes aware of the breach because Art. 33(1) of the GDPR sets out that the controller shall notify the competent supervisory authority no later than 72 hours after having become aware of a data breach that may result in a risk to the rights and freedoms of natural persons (note that the GDPR may also apply to non-EU based entities processing personal data of EU citizens).

If the controller cannot provide all the information at the same time (typically this may be the case of a data breach due to a ransomware attack), it may provide it in phases.

Processors shall notify controllers without undue delay (e.g., no later than 24 hours).

What is a breach log and why is it so important to maintain?

It is also imperative to maintain a breach log or record because Art. 33(5) obliges controllers to document any personal data breach. Besides, a breach log may contribute to comply with the accountability duties.

Keeping such a record will also help, both at a corporate level and at a general interest level, to have a better understanding of the causes of data breaches to implement more appropriate, effective, and sophisticated remedies in the future.

Which is the test that determines whether the Regulator needs to be notified and whether the data subjects need to be notified?

Controllers shall notify the competent data protection authorities of a data breach unless the relevant data breach is unlikely to result in a risk to the rights and freedoms of data subjects. This means that controllers shall assess whether to notify the Regulator.

The Guidelines on personal data breach notification under Regulation 2016/679 and the Guidelines 01/2021 on examples regarding personal data breach notification give some illustrations at this regard. For instance, a controller shall not notify in case of losing an encrypted device, but it shall in case of a ransomware attack (except if the attack only affected encrypted systems).

Therefore, the assessment is about if the data breach is unlikely to result in a risk to the rights and freedoms of data subjects.

Besides, a further assessment shall also be conducted regarding whether is necessary to communicate a data breach to the affected individuals. This assessment is about if the data breach is likely to result in a high risk and freedoms of natural persons.

Since the Regulator may require controllers to carry out such communication, a wait and see strategy could be to first notify to the Regulator and, if it requests so, communicate to the individuals. However, this strategy does not fit the accountability obligations, and, in certain cases, it is obvious that data subjects shall be notified.

In any event, this can be an opportunity to show a company’s ethics and transparency and it is always better that a data subject realizes from the company than by press.

In relation on choosing the regulator, first it should be assessed if it is a cross-border breach, even if it affects countries outside the EU.

Regarding EU cross-border breaches, controllers shall notify the Supervisory Authority of the main establishment that shall be the lead supervisory and the sole interlocutor of the controller. Note that the lead supervisory authority may be different from the authority where the affected data subjects are located or where the breach has taken place.

Finally, one should also confirm national requirements. For instance, in Spain public entities may have to notify data breaches to specific local regulators.

What are the potential consequences for a controller if it fails to notify the relevant authorities of a breach when required to do so?

Consequences of a data breach may be categorized as follows:

1. Legal consequences: Art. 83(4) of the GDPR sets out that infringements of data breach provisions shall be subject to fines up to €10,000,000, or in the case of an undertaking, up to 2% of the total worldwide annual turnover (whichever is higher). Besides, depending on the consequences of data breach, the infringement could affect other GDPR provisions becoming a very severe infringement (where fines could reach up to €20,000,000 or 4% worldwide annual turnover, likewise whichever is higher).
2. Reputation consequences: Beyond these administrative fines, a significant reputational crisis may accrue from a data breach since generally involves a loss of trust that shall be properly managed and countered. Note that not in certain EU countries, sanctions may be subject to official publication (e.g., this applies in Spain vis-à-vis sanctions above €1,000,000) and the media is usually responsive to this.
3. Financial consequences: These are closely related to legal and reputation consequences and may involve loss of users-clients, loss of profits, or recovery and restitution costs, among others.
4. Other consequences: Further consequences may arise, particularly if the data breach affected a public institution (diplomatic, institutional, or governmental, among others).

Examples of the level of fines that have been issued for instance in the EU

First, it is important to mention that there is not a data breach infringement per se. This means that a data breach may involve the infringement of different provisions. For instance, lack implementation of security measures, lack of notification or communication. Besides, the intensity of the breach in terms of negligence, type of data, number of affected persons, etc., will have an impact on the fine.

Beyond that, the different national Regulators may have a different perception or sensibility.

In Spain:

  • €52,000 for not ensuring integrity and confidentiality and lack of technical and organizational measures and late notification.
  • €4,000,000 Vodafone for sending copies of nine customer’s SIM cards to a fraudulent third party.

In Germany:

  • €20,000 for late reporting of a data breach, as well as non-notification of the data subjects.
  • €900,000 TELECOM unauthorized persons could obtain other customer data due to lack of authentication during customer service.

In France:

  • €1,500,00 DEDALUS health data of nearly 500,000 persons accessible to anyone without access control on web server
  • €6,000 for breach of the obligation to ensure data security and lack of notification.

Finally, a security breach could lead to claims both from individuals and companies (e.g., confidential information).

  • Sergio de Juan-Creix
    Tech-Media-Telecoms in Spain

    Sergio de Juan-Creix

    bronzeSergio de is a bronze member
    Partner – Lawyer, Croma