The European Data Protection Board (EDPB) recently published the draft Guidelines on Examples Regarding Data Breach Notification, a document that encompasses eighteen examples of data security incidents, on a spectrum of risk and necessary mitigating measures.  Each example concludes with recommended actions based on the identified risks, mainly: recording the incident in the organization’s internal register, notifying the organization’s supervisory authority, and notifying affected individuals.  The Guidelines are currently open for public consultation.

The Guidelines include different versions of the most common types of data security incidents, including ransomware, data exfiltration attacks, insider threats, lost or stolen devices, and exfiltration of emails.  We note for reference that the specifics of individual incidents varies, and as such, different conclusions might be applicable in different matters depending on those specifics.  However, for reference, we include below a high-level summary of notable examples from the draft EDPB Guidelines below:

  • Ransomware with proper backup and no exfiltration.  In a ransomware incident where an organization, with the help of forensics experts, determines with certainty that the intruder only encrypted data without exfiltrating it and a backup is readily available, the Guidelines indicate that the organization can make the determination that the incident should only be recorded in its internal register and no notifications are necessary.
  • Ransomware with backup and no exfiltration in a hospital.  Similar to the first example, a hospital is able to determine with certainty that the intruder only encrypted data without exfiltrating it. However, the restoration of the data lasts a couple of days, leading to delayed medical procedures and affecting services.  The Guidelines flag this case as an example of a ransomware attack with high risk to the rights and freedoms of individuals, requiring both documentation in the internal register, as well as notification to both the supervisory authority and affected individuals.
  • Exfiltration of hashes passwords from a website.  The server of a cooking website is exploited using a SQL injection vulnerability, leading to the exfiltration of approximately 1,200 hashed and salted passwords.  Although the confidentiality of data has been compromised, the Guidelines flag this as an example of an incident that does not require notification (to supervisory authorities or affected individuals), given the strong hash, the fact that the salt was not compromised, and the fact that individuals were nonetheless notified informally and advised to change their passwords.
  • Accidental transmission of data to a trusted third party.  Due to faulty settings in Excel, an insurance agent is able to view personal data belonging to a low number of customers that are not his.  The insurance agent, who is bound by professional secrecy, flags this issue for the controller of the personal data, deletes the erroneous Excel file, and confirms the same in writing for the controller.  In this case, the low number of affected individuals, coupled with the immediate detection of the incident and subsequent mitigating measures does not result in any risk to individuals.  Therefore, this incident must only be documented in the organization’s internal register. 

Aside from providing a useful benchmarking tool for addressing security incidents and personal data breaches, the Guidelines offer valuable insight into the EDPB’s most important risk considerations when determining the notification strategy following a security incident.  Importantly, many of the examples outlined in the Guidelines do not require notification to supervisory authorities or affected individuals.  This confirms that a risk assessment should be conducted – and documented – carefully following each security incident, and that notification to competent supervisory authorities (and affected individuals) should only be made where such assessment identified a risk (or high risk) to the rights and freedoms of individuals.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Author

Dominic Panakal is an associate in Baker McKenzie's Privacy and Technology practice, based in the New York office. Dominic was named by National Law Review as a "Go-To Thought Leader" for Cybersecurity.

Author

Julia advises both German and international companies on all legal issues related to information technology, sourcing, data privacy and data protection, e-commerce, marketing and matters related to Internet and media law. She assists international online businesses with regard to commercial issues as well as compliance with consumer protection and data privacy law.

Author

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author

Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.

Author

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Gary is an associate in the Chicago office. His practice focuses on regulatory and transactional issues in global privacy and data protection, including cross-border data transfers, data security, data breach notification, global privacy, website privacy policies, behavioral advertising, and comprehensive compliance programs.