In January the European Data Protection Board (‘EDPB’) published its “Guidelines 01/2021 on Examples regarding Data Breach Notification” which are open for public consultation until 2 March 2021. The guidelines do what they say on the tin and are replete with case studies based on common types of data breach. Despite our break-up with Brussels, UK privacy practitioners will doubtless find the guidelines a useful reference tool as they signal regulatory expectations when it comes to how to handle breaches and factors to consider when assessing risk.
The EDPB guidelines are especially welcome given that it’s been over three years since the Article 29 Working Party (‘WP29’) first produced its general “Guidelines on personal data breach notification” back in October 2017. Readers will recall that those WP29 guidelines included, at Annex B, some fairly useless examples of data breaches and who to notify – ‘useless’ because the outcomes were obvious to most practitioners and included little detail or nuance.
These new EDPB guidelines aim to fill some of the gaps. They’re intended to supplement the WP29 guidelines and provide “practice-orientated, case-based guidance” drawn from the collective experience of Supervisory Authorities (‘SAs’) since the implementation of GDPR. So less of the abstract theory to which we’re accustomed from many regulators, and more practical guidance drawing on examples of breaches that typically land on their desks.
The EDPB guidelines first walk through the nuts and bolts of recognising a breach, categorising it by reference to the ‘CIA triad’ (i.e. Confidentiality, Integrity and Availability), determining the effects on data subjects, as well as addressing risk assessments and the controller’s GDPR obligations. They also emphasise the importance of preparation, clear reporting lines and allocation of responsibilities in the response effort, as well as regular training and awareness-building in the workplace.
The case studies are, however, the main attraction. They are divided into six broad categories which, in turn, are sub-divided by variations in the underlying facts. Doing so recognises that risk assessments (and resulting obligations) are fact-specific and will vary even where the attack vector remains the same. Here they are:
- Ransomware with proper backup and without exfiltration
- Ransomware without proper backup
- Ransomware with backup and without exfiltration in a hospital
- Ransomware without backup and with exfiltration
Data exfiltration attacks
- Exfiltration of job application data from a website
- Exfiltration of hashed password from a website
- Credential stuffing attack on a banking website
Internal human risk source
- Exfiltration of business data by a former employee
- Accidental transmission of data to a trusted third party.
Lost or stolen devices and paper documents
- Stolen material storing encrypted personal data
- Stolen material storing non-encrypted personal data
- Stolen paper files with sensitive data
- Snail mail mistake
- Sensitive personal data sent by mail by mistake
- Personal data sent by mail by mistake
- Snail mail mistake
Other Cases – Social Engineering
- Identity theft
- Email exfiltration
In each case the guidelines address prior measures and risk assessments, followed by mitigation and obligations. Each of the six broad categories then concludes with a list of “advisable measures”; i.e. a non-exhaustive list of controls which controllers might want to consider in order to fix vulnerabilities and prevent / mitigate the impacts of the attack.
Whilst these examples are a vast and welcome improvement on those in previous guidelines, they have their limitations. Care should be taken to resist the temptation to extrapolate too much from them given that risk assessments turn on the facts. There are also many incidents which don’t feature in the guidelines – be them variations on existing case studies, or others based on entirely different attack vectors. Be that as it may, they’re still worth a read.
This document ... reflects the common experiences of the SAs of the EEA since the GDPR became applicable. Its aim is to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.