Personal data breaches can be very costly, both reputationally and financially. Industry analysts in the United States estimate that the global average cost to a company of a data breach is $3.9 million. In Europe, one of the most significant and well-publicised changes brought about by the implementation of the General Data Protection Regulation (“GDPR”) in May 2018 was a significant increase in the quantum of fines for a breach. Under the GDPR (and its equivalent legislation in the UK after Brexit), if there is a serious infringement a relevant supervisory authority may issue fines of up to the greater of €20 million or 4% of a company’s worldwide annual revenue from its preceding financial year.
By way of example, in October 2020 the Information Commissioner’s Office (“ICO”) announced a fine of £20 million for a well-known British airline for a personal data breach. This was the largest fine issued in ICO history and its first major fine since the GDPR became law in the UK.
Despite the GDPR requiring organisations to pay more attention to the personal data that they collect, hold and process, personal data breaches are still prevalent. All organisations, big and small, have become increasingly technology dependent and data driven. This reliance on data creates greater scope for errors in respect of data processing. Cyber-criminals have also become more sophisticated. It is arguable, therefore, and almost inevitable, that even the best managed organisations will, at some point, become a victim of data crime leading to a data breach.
In this insight we examine the seven key steps an organisation should take as soon as it suspects a personal data breach. If these steps are followed the chance of minimising the impact of a breach will be increased, potential fines and remedial costs reduced, and negative press minimised. These steps will also assist in getting a organisation back to normal operations sooner after a breach has occurred.
As soon as a suspected personal data breach has been identified, the DPO, or other qualified person responsible for managing the company’s personal data, should be alerted. A personal data breach does not need to involve a third party attacker. Internal failures can also lead to data breaches, such as when personal data is sent to an incorrect recipient (i.e. emails or post sent to the wrong person or address), or when devices such as work mobiles or laptops, containing personal data, are lost or stolen.
The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed” (Article 4.2).
It is essential to act quickly when a personal data breach occurs as failure to act can amount to increased financial and reputational damage. Forensic research in the United States shows that a breach lifecycle under 200 days costs $1.2 million less than a lifecycle over 200 days. Alarmingly, the average time to identify a breach was found to be 206 days while the average time to contain a breach was 73 days.
It is worth noting that an organisation should keep a record of the details of any personal data breach regardless of whether or not it is a breach that an organisation is obliged to notify to a relevant regulatory authority.
As soon as an organisation becomes aware of a breach, technical and operational measures to contain the breach should be taken without delay. Expert assistance should be taken at this time too and it is likely that some or all the following actions may be necessary to contain the breach: disconnecting the affected systems, disabling remote access, changing credentials/passwords, segregating payment processing and business critical devices, restricting non-essential internet traffic, and notifying relevant third-party providers (for example, banks).
The organisation should then commence an investigation to understand how the breach has occurred. This investigation should understand whose personal data has been compromised (i.e. the identity of the individual), how much personal data has been compromised (i.e. how many individuals affected), and the type of personal data compromised. The investigation should seek to identify how long the compromise has persisted, and the source and cause of the attack. The analysis may be carried out internally or via a third-party data expert. However, the analysis must take place quickly because of the 72 hour regulatory notification requirement set out further in step 3 below.
As part of the investigatory exercise, the data security measures in place immediately prior to, and at the time of, the attack should be noted. If the organisation has a press officer, or communications team, it would be sensible to bring the relevant person(s) up to speed so that he/she can prepare any briefing materials alongside the DPO.
If the organisation has an internal or regular external lawyer, that person should also be involved, as should a C-suite representative. We regularly represent organisations when they discover a data breach has occurred.
When investigating the breach, it is important that you do not inadvertently destroy valuable forensic data which may be used by investigators to determine how and when the breach occurred as this information is likely to be able to assist in prevent a breach reoccurring in the future, for example, by identifying network weaknesses that can be secured to prevent similar future attacks.
If the business has cyber insurance in place, you should refamiliarize yourself with any policy terms so as to ensure that the organisation correctly follows the processes for making a claim against such policy. Notifying the insurer within a specified time frame may also be a requirement of the policy.
Under the requirements of the GDPR, where there has been a personal data breach by a data controller (the party that determines the purpose for which personal data will be processed, and the manner in which it will be processed) which results in a “risk to the rights and freedoms of natural persons” the data controller must notify the relevant supervisory authority of the breach “without undue delay and, where feasible, not later than 72 hours after having become aware [of the breach]”.
Guidance is given in the GDPR (Recitals 75 and 85) as to what might constitute a risk to the rights and freedoms of natural persons. These include loss of control over their personal data; limitation of their rights; discrimination; identify theft or fraud; financial loss; unauthorised reversal of pseudonymisation; damage to reputation; loss of confidentiality of personal data protected by professional secrecy; and any other significant economic or social disadvantage to those individuals.
The relevant supervisory authority in the United Kingdom is the ICO. If a personal data breach is identified by a data processor (the party that processes the data on behalf of the controller), the data processor does not need to notify the ICO, and instead must notify the data controller. However, it is a legal requirement that there is a contract in place between the data processor and the data controller in connection with the data processing. If this is the case, the contractual procedures for notifying the data controller of a breach should be checked, and if present, followed.
The GDPR provides that information may be provided to the ICO in phases where it is not possible to fully investigate a breach within 72 hours. Where this applies, a reason for the delay must be included in the original notification to the ICO. The notification will need to contain information prescribed by the GDPR including a description of the nature of the personal data breach including, where possible, the categories and approximate number of individuals concerned and the categories and approximate number of personal data records concerned; the name and contact details of the DPO, or the responsible person, from whom more information can be obtained; a description of the likely consequences of the personal data breach; and a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
As the notification to the ICO needs to be done within the 72 hour regulatory window, this item should be considered a priority action and the steps which enable the notification to be made should all be carried out promptly with a view to collecting necessary information in order to comply with this reporting requirement. A failure to notify a breach where it is requirement to do so, could lead to an organisation receiving a significant fine of the greater of: £8.7 million or 2 per cent of the organisation’s global turnover.
If your organsiation is a data controller the DPO, or the responsible person, should inform any data subjects who have had their personal data affected as part of the breach where the risk to the rights and freedoms of those data subjects is high and provided that no exceptions apply.
If your organisation is a data processor, the DPO, or the responsible person, should notify the responsible person stated in the data processing agreement with the controller. The data controller is then obliged to make arrangements, if appropriate, for the notification of the data subjects.
An exception to a notification event may include where appropriate technical measures or organisational protections were in place at the time of the breach (for example, where there is encryption and the data controller has taken immediate action to ensure the risk to the data subjects of the data breach will not materialise). Further, an organisation may make a general public announcement instead of an individual communication where to notify of breach individually would involve disproportionate effort.
The communication with the data subjects (if your organisation is a data controller) or the third party controller (if your organisation is a data processor) should include the contact details of the DPO, or the responsible person, details of the nature and scope of the breach, the estimated likely impact of the breach, the actions already implemented to contain and mitigate the breach, and the actions due to be initiated to further minimise the impact of the breach. Further details should be included in the notification that are relevant to the investigation.
Once the DPO, or the responsible qualified person, has carried out its initial investigation to enable it, or the responsible qualified person, to notify the ICO and the data subjects, or the relevant data controller, the business should carry out a deep-dive to confirm the results of the initial checks, along with a gap-analysis to identify any systemic vulnerabilities.
Any steps put in place to contain and mitigate the breach should be checked to ensure that they are sufficient.
Where new or additional measures are identified, these should be implemented with a view to stop and prevent any existing or further unauthorised access to personal data. The DPO should be made aware of any new discoveries following this workstream and the DPO may, as a result, need to provide equivalent updates to the ICO and the data subjects, or the relevant data controller.
Once the personal data breach has been investigated, reported, notified, and contained, the organisation should seek to implement any recommended changes or best-practices coming out of the deep-dive audit and seek to carry out regular reviews of existing and new practices on a go-forward basis with a view to preventing further breaches. It is also likely that the organisation will need to implement a considered communications plan to mitigate any negative news fall-out or reputational impact.
Regardless of whether your organisation has suffered a personal data breach, it is good practice to plan ahead and to take certain proactive steps to get prepared in case of a breach.
The following items are examples of actions that we would recommend your organisation considers ahead of time:
In summary, careful consideration of the actions that you will need to take in the event of a personal data breach ahead of time will help you to respond in a timely and organised manner to a breach. An organised and systematic approach with an understanding of your regulatory obligations will reduce the financial and reputational harm caused by the personal data breach to your organisation.
Whether or not you are reading this because your organisation has had its personal data compromised, if you are a UK based data controller or a data processor and if data is key to your organisation, please get in touch with us by email or phone. Our contact details are set out below. With many years of experience in advising organisations on personal data issues, we are well placed to help you protect your organisation from the unwanted consequences of a personal data breach.