The European Data Protection Board (EDPB) recently published the draft Guidelines on Examples Regarding Data Breach Notification, a document that encompasses eighteen examples of data security incidents, on a spectrum of risk and necessary mitigating measures. Each example concludes with recommended actions based on the identified risks, mainly: recording the incident in the organization’s internal register, notifying the organization’s supervisory authority, and notifying affected individuals. The Guidelines are currently open for public consultation.
The Guidelines include different versions of the most common types of data security incidents, including ransomware, data exfiltration attacks, insider threats, lost or stolen devices, and exfiltration of emails. We note for reference that the specifics of individual incidents varies, and as such, different conclusions might be applicable in different matters depending on those specifics. However, for reference, we include below a high-level summary of notable examples from the draft EDPB Guidelines below:
- Ransomware with proper backup and no exfiltration. In a ransomware incident where an organization, with the help of forensics experts, determines with certainty that the intruder only encrypted data without exfiltrating it and a backup is readily available, the Guidelines indicate that the organization can make the determination that the incident should only be recorded in its internal register and no notifications are necessary.
- Ransomware with backup and no exfiltration in a hospital. Similar to the first example, a hospital is able to determine with certainty that the intruder only encrypted data without exfiltrating it. However, the restoration of the data lasts a couple of days, leading to delayed medical procedures and affecting services. The Guidelines flag this case as an example of a ransomware attack with high risk to the rights and freedoms of individuals, requiring both documentation in the internal register, as well as notification to both the supervisory authority and affected individuals.
- Exfiltration of hashes passwords from a website. The server of a cooking website is exploited using a SQL injection vulnerability, leading to the exfiltration of approximately 1,200 hashed and salted passwords. Although the confidentiality of data has been compromised, the Guidelines flag this as an example of an incident that does not require notification (to supervisory authorities or affected individuals), given the strong hash, the fact that the salt was not compromised, and the fact that individuals were nonetheless notified informally and advised to change their passwords.
- Accidental transmission of data to a trusted third party. Due to faulty settings in Excel, an insurance agent is able to view personal data belonging to a low number of customers that are not his. The insurance agent, who is bound by professional secrecy, flags this issue for the controller of the personal data, deletes the erroneous Excel file, and confirms the same in writing for the controller. In this case, the low number of affected individuals, coupled with the immediate detection of the incident and subsequent mitigating measures does not result in any risk to individuals. Therefore, this incident must only be documented in the organization’s internal register.
Aside from providing a useful benchmarking tool for addressing security incidents and personal data breaches, the Guidelines offer valuable insight into the EDPB’s most important risk considerations when determining the notification strategy following a security incident. Importantly, many of the examples outlined in the Guidelines do not require notification to supervisory authorities or affected individuals. This confirms that a risk assessment should be conducted – and documented – carefully following each security incident, and that notification to competent supervisory authorities (and affected individuals) should only be made where such assessment identified a risk (or high risk) to the rights and freedoms of individuals.