Data Breach Management

This article is written by Stephen Omondi Okong’O

Cyberspace is a global, interconnected network of computers and related networks that anyone can access. This category includes private systems, computer networks, and commercial internet services. Because of advances in science and technology, a person can now perform any task, from purchasing to negotiating a contract to simply chatting with others, using only his computer or mobile phone. Upon registration, many of these websites require users to provide identifying information such as full names, addresses, and, in some cases, financial information. 

When people engage in transactions with the outside world, such as purchasing a book or a movie, they expose their personal information to risk. The service providers and the supervisory authority are responsible for monitoring this to ensure that data subjects’ fundamental rights and express permission are respected. (Section 1 of Article 49) (a).

According to Article 33 of the General Data Protection Regulation(GDPR), data breach management is the procedure used to protect personal data from unauthorized access, use, disclosure, alteration, or destruction.

Personal data is information about an identified or known natural person.

Even though businesses are exempt from GDPR rules, any data they manage that can be used to identify their employees is still subject to the law. The GDPR does not apply to people who have died (in law, recital-27 exceptions are possible). To summarize, personal information comprises Internet Protocol (IP) addresses.

Data subjects are living, breathing individuals who can be identified directly or indirectly based on the information. The term “data processing” refers to any action taken on an individual’s or group of individuals’ data, whether or not that action is performed automatically.

Some examples are gathering, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, transmitting, disseminating, aligning, combining, restricting, or erasing, according to Article 4 of the General Data Protection Regulation (2). As a result, the entire set of definitions only applies when data is automatically processed while still intended to be a component of a filling system. The “data controller” is the organization (natural or legal) that decides what personal data will be processed and for what purposes, alone or in collaboration with others.

A data processor is a person or company that handles data processing on behalf of a data controller.

Any organization not a controller or processor of data is considered a third party. This includes all types of people and organizations. This distinction is critical because it determines the data protection laws that will come into use and the obligations that must be met. The EDPB has confirmed that the entity determining the goals and procedures may differ from one processing activity to the next.

Breach of Confidentiality

During a cyber-attack, recipients’ personal information is published online, and an email containing sensitive data is sent to the wrong recipients.

Because sensitive data was improperly erased before destruction, private information was accessible to an unauthorized third party. In addition, the controller’s backup customer database was on a lost or stolen hard drive.

Not being truthful(Integrity Breach)

A breach of personal data occurs when a hacker gains access to the controller database and modifies it, when a worker obtains access to the data file and deletes or adds components, or when personal data-containing documents are changed by someone who is not authorized to do so.

Disruption in accessibility

The data controller’s database is breached, and all of the data is lost, with no way to recover it. In addition, technical issues hamper access to client databases, a physical disaster prevents access to parent databases at a hospital, and ransomware has encrypted the only copy of a controller’s data set.

Processing personal data raises the risk for individuals, communities, businesses, and society. A data protection impact assessment (DPIA) is performed on a proposed project, policy, or program to determine the level of privacy risk it poses and to assist in developing a strategy to reduce or eliminate that risk.

A DPIA should eventually lead to decisions that aid in removing, downsizing, relocating, or disseminating potential threats to personal information. A DPIA should be conducted with any project or undertaking involving collecting, storing, sharing, and transferring confidential information. The DPIA should be revised as the project progresses or new risks emerge. The CoE legal framework provides for assessing data protection impacts, according to Article 10(2) of the revised Convention 108. Article 35 of the GDPR also requires an impact assessment, particularly when processing poses a severe risk to individuals’ rights and liberties.

The following are the critical steps in dealing with data breaches

Educate

1. Reduce the amount of information gathered, accessed, and stored.
2. Securely remove
3. Mobile device security measures, including updates and patches (encryption updates and patches)
4. VPN for network safety (VPN)
5. Updating hardware and software necessitates upkeep.
6. The contractor is under my supervision.
7. Create policies and thoroughly explain them.
8. Control access management (incident response and disaster recovery) (incidence response and disaster recovery)
9. Audit 

Investigate the security incident to find out what happened. Date, people, and location

1. Intrusion detection and alerts
2. Determine the root cause: Was the breach caused by an outdated antivirus program, an email phishing scam, a firewall infected with open port malware, or an employee who unintentionally disclosed personal information?
3. Forensic analysis: Internal audit reporting and escalation (Internally)

Evaluate

1. Is there a data breach going on here?
2. Significance of sensitive information: What are the most likely consequences of the breach for those affected? How many people were affected, and when was the breach? (Before being noticed)

Do I need to notify the appropriate authorities? Is it necessary for me to communicate with data subjects? How will this be accomplished?

Reduce

1. As soon as possible, change passwords and isolate impacted systems. Remove hacked websites if possible (when possible)
2. Ascertain that no systems are at risk (repair issues) (fix problems)
3. Keep track of everything along the way.
4. Take preventative measures (corrective action) (to avoid)
5. Make sure to notify both internal and external parties (internally and externally).
6. Encourage discussion while outlining potential solutions and mitigating measures.
7. Notification of a Personal Data Breach (Article 33 of the GDPR) 
8. The GDPR requires you to notify the DPA of a personal data breach unless you can demonstrate that it is unlikely to jeopardize an individual’s rights and freedoms.

1) As soon as the controller becomes aware of a personal data breach, it must notify the competent supervising authority immediately, preferably within 72 hours.

This compromise of personal information must pose little risk to natural persons’ rights and liberties.

2) If there is a breach of personal data, the processor must notify the controller immediately.

Security occurrences are examples of low-risk situations (security incidents).

If a USB with encrypted data is stolen, there is no risk as long as the encryption is strong, the key has not been compromised, and a copy exists.

Power outages disrupt call centre operations, and data is temporarily unavailable.

Publication of previously available public information

Examples of High-Risk Situations

Customer information and purchase history are published online due to theft from international markets.

As a result of cyber-attacks, a hospital’s patient files are unavailable for 30 hours.

Personal information for many students is inadvertently sent to the wrong list of recipients (more than 1000).

Disregard the supervisory authority.

The data processor notifies the data controller (Article 28GDPR) within 72 hours of learning about the breach, with a reasonable degree of certainty, a focus on detection, and prompt action data security for the controller/processor.

Information is to be provided to the supervising authority.

There are categories for the type of breach, the estimated number of data subjects, and the estimated number of personal data records at risk.

1. Name and phone number of the DPO or another point of contact.
2. The most likely consequence of the breach.

A description of the corrective action taken or planned to be taken to address the breach, as well as steps to mitigate its negative consequences.

Staged notification

If the information cannot be delivered all at once, it may be delivered gradually and without delay.

GDPR’s Article 33(4) 

The initial notification is made within 72 hours, and additional information, such as technical analysis, is provided in later stages.

Delayed notification (after 72 hours) with explanations, such as notification of multiple similar breaches at the same time

The breach has been made public.

When a breach is likely to pose a severe risk to the data subjects’ rights and freedoms, the data controller must notify them without delay.

Art 34(3): Another vital concept emphasized by GDPR is risk assessment.

What specific information must we provide?

Name and contact information for the DPO or another point of contact, as well as an explanation of the potential consequences of the personal data breach. 

An explanation of the steps taken (or planned) to address the personal data breach, including steps to mitigate any potential negative consequences.

What Is Meant By “Communication”?

Direct communications include postal communications, prominent website banners or notifications, direct communications (such as emails, SMS, and direct messages), prominent print advertisements, multiple communication channels, and alternative templates in multiple languages.

Is there anything else the controller should do in the event of a data breach?

The controller must document any personal data breaches, including the circumstances surrounding the breach, its consequences, and the corrective measures implemented. This documentation allows the supervisory authority to confirm that Article 33(5) GDPR was followed.

A list of personal data breaches can be included in a security incident log/register.