Despite low staffing levels, the Dutch Data Protection Authority [Autoriteit Persoonsgegevens - “Dutch DPA”] still managed to publish eleven fines in 2021. Many of these fines were imposed for sub-par security measures and/or failures to report or late reporting of data breaches. Time for a refresher on data breaches.
In this blog, the author will outline the requirements for reporting data breaches, based on info gleaned from three fining decisions. This will show the areas on which the Dutch DPA focuses in its assessments. The three fining decisions are:
- PVV Overijssel: EUR 7,500
- com: EUR 475,000
- Transavia: EUR 400,000
Succinctly put, the three decisions demonstrate that the prevention or remediation of data breaches is first and foremost an issue that needs to be tackled in-house. The primary aim is to make sure the security measures are up to standard, all in-house procedures are in place and employees have been instructed to observe all measures and processes. The suitability of these measures and processes must be subjected to regular assessment.
If an incident occurs, it is essential that the incident is classified as swiftly as possible. Only then will it be possible to determine what steps must - by law - be taken.
What is a data breach?
The GDPR defines the term ‘personal data breach’ as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
It follows that even if the capture of data is unintentional, it can still classify as a personal data breach. One oft-used example in this context is the thumb drive left on a train.
The question that must always be asked is whether the breach actually involved personal data. If not, there may still be a security incident that needs to be taken care of, but the incident does not constitute a personal data breach that must be reported under the GDPR. Basically, all data breaches are security incidents, but not all security incidents are necessarily data breaches.
The European Data Protection Board (“EDPB”) recently published a list citing examples of personal data breaches. These examples may provide information useful in determining whether or not a breach constitutes a personal data breach.
Obligation to notify the Dutch DPA
The controller must notify a data breach to the Dutch DPA not later than 72 hours after having become aware of it. That is the main rule. An exception applies when it can be demonstrated that “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.
The purpose of the obligation to notify is to have the time and opportunity to address the breach properly to ensure that the data subjects involved incur as little harm as possible. Factors to be taken into consideration in answering the question whether a data breach does (or is likely to) result in harm for the data subjects include the nature and extent of the processing affected by the breach and the reliability of any recipient.
Case: PVV Overijssel
An assistant of the Overijssel branch of the PVV political party sent an email to 101 recipients. An open distribution list caused the email addresses of all recipients to be visible. The failure to use the ‘BCC’ field may be considered a data breach, particularly when the email sent discloses political beliefs. One data subject whose address was thus disclosed filed a complaint with the Dutch DPA. This is how the watchdog learned that the breach had not been notified.
Unlike the PVV, the Dutch DPA did view that the data breach disclosed personal data, to with the political beliefs, of the recipients - which factor appears to have played a huge part in the DPA's decision. After all, according to the DPA, “material damage or non-material damage (...) must be deemed to be likely when the breach involves personal data relating to the political beliefs of the data subjects affected”. Factors that add to the likelihood of harm are the nature and the role of the political party as the controller. A final consideration for the Dutch DPA in reaching its decision was that that this case concerned a relatively large number of recipients.
The primary aim of the 72-hour period is to encourage controllers to act immediately on becoming aware of a breach so as to mitigate its adverse effects, to remedy the compromised personal data where possible and to seek the advice of the supervising authority. The GDPR does acknowledge the fact that controllers do not always have all information relating to the data breach at their fingertips within 72 hours after having become aware of it, as the full details of the incident do not in all cases become available within that time frame. For this reason, the information may be provided in phases.
In this case, even the provision of information in phases proved cumbersome. The well-known booking site was no fewer than 22 days late in reporting a data breach after an unknown third party had gained access to the booking system by pretending to be a Booking.com employee. It turned out that this third party had gained access to the data of over 4,000 people, and the credit card details of 283 people. Booking.com's in-house privacy team was not apprised of the incident until over three weeks later. The data breach was notified to the Dutch DPA a day later, on 7 February 2019.
The Dutch DPA is of the opinion that Booking.com's Security Team should have been notified immediately after the first incident, which took place on 9 January 2019, all the more so because there were tell-tale clues that personal data had been breached and because the organisation's protocol required it. A second incident, on 13 January 2019, clearly confirmed the need for immediate notification. This also appeared to follow from internal communications, which made mention of a “SECURITY BREACH”. Therefore, Booking.com's argument that it had not been made aware of the breach until 4 February 2019 was not followed by the Dutch DPA.
Obligation to notify data subjects
Under certain circumstances, the controller is required to notify the data subjects involved as well as the supervising authority. This is the case when “the personal data breach is likely to result in a risk to the rights and freedoms of natural persons”. It follows that the threshold for notifying a data breach to data subjects is higher than the threshold for notifying a data breach to the authorities.
Again, the specific circumstances of the case matter, such as the nature and the extent of the processing. The list of examples provided by the Dutch DPA allows for the conclusion that the personal data breach that afflicted the PVV Overijssel should have been notified to the data subjects involved, as the breach concerned personal data of a special nature.
Apart from that, any incident, irrespective of the question whether it is notifiable, must at all times be recorded in an internal document, such as a register of data breaches. Any entry in such register should include the reasons for not notifying it to the authorities. That way, when held accountable, the controller will be able to demonstrate that he at the very least made a consideration.
Does every personal data breach result in a fine?
The fact that a data breach constitutes an instance of unlawful processing does not mean that blame attaches to every single data breach. If the controller is able to prove that all reasonable steps were taken to avoid possible data breaches, no DPA will hurry into taking enforcement measures.
A major example of a reasonable step can be found in Article 32 GDPR, which calls for appropriate security measures. The term ‘appropriate’ is understood to include all relevant circumstances, such as the nature of the data to be processed and the state of the art in the industry. It is therefore a fallacy that by definition all conceivable measures must be taken to achieve a level of security appropriate to the risk. The EDPB publication referred to earlier mentions several security measures that may prove relevant in specific situations.
The Dutch DPA imposed a fine on airliner Transavia over a personal data breach. The reason for the fine was not the data breach itself, but rather the fact that the breach could occur due to insufficient security measures. As a result, a third party could potentially have gained access to the personal data of 25 million passengers. It was found that this third party actually downloaded the personal data of 83,000 people.
The third party was able to access the IT systems because it did not incorporate multi-factor authentication. The password used to access the systems was very simple to guess. In addition, the access rights were not segmented, to one account gave access to multiple systems. The Dutch DPA held that a professional market party like Transavia should have been expected to have better technical and organisational measures in place to ensure information security.
In summary, the Dutch DPA held that in view of the state of the art at the time of the breach, Transavia could definitely have implemented measures to ensure a level of security appropriate to the risk. Given the massive scale of the processing of personal data at Transavia, the Dutch DPA deemed Transavia's security measures to be insufficient, which led to a - manifested - risk to the rights and freedoms of data subjects.
The three decisions demonstrate that the prevention or remediation of data breaches is first and foremost an issue that needs to be tackled in-house. The primary aim is to make sure the security measures are up to standard, all in-house procedures are in place and employees have been instructed to observe all measures and processes. The suitability of these measures and processes must be subjected to regular assessment.
If an incident occurs, it is essential that the incident is classified as swiftly as possible. Only then will it be possible to determine what steps must - by law - be taken. Preferably, this is done - as quickly as possible - by a team of experts, such team consisting of, for example, a lawyer, a privacy officer, a security officer and/or a Data Protection Officer (in an advisory role).
Regardless of the steps that need to be taken in the end, each incident must be recorded in an internal register.