EU watchdog issues guidance on the notification of data breaches to individuals

Out-Law News | 04 Apr 2014 | 3:05 pm | 3 min. read

Businesses should consider the "likely secondary effects" of a data breach when determining whether to notify individuals about those cases, according to new guidance issued by an EU privacy body.

The Article 29 Working Party, a committee of made up of representatives from national data protection authorities, said that the secondary effects of a breach should be considered as part of a businesses' assessment of whether that breach is likely to have an adverse affect on the "personal data or the privacy of the data subjects".

It said businesses should inform individuals if they experience a data breach that is likely to have an adverse affect on their privacy.

"Data breaches should be notified to the data subjects if the breach is likely to adversely affect the personal data or the privacy of the data subjects," the Working Party said. "Thus, all the potential consequences and potential adverse effects on the data subjects should be taken into account."

The Article 29 Working Party's recommendations are contained in a new opinion it has published on personal data breach notification (15-page / 395KB PDF). It said that it would be "good practice" for all organisations to follow the guidance included within it.

The guidance is specifically relevant to providers of publicly available electronic communications services in the EU as it relates to EU laws that require those businesses to report personal data breaches under certain circumstances.

Under changes to EU law that came into force in August 2013, all providers of publicly available electronic communications services in the EU have to inform national regulators within 24 hours of detecting a personal data breach they have experienced. The companies must supply the regulator with a range of information about the breach, including the estimated date and time of the incident, the nature and content of the personal data concerned and how many individuals are affected.

The telecoms businesses also generally have to notify individuals affected by a personal data breach "without undue delay" in cases where the breach is "likely to adversely affect the personal data or privacy" of those individuals.

Factors such as the type of personal data that has been breached, the likely consequences of the breach for individuals, and the circumstances of the breach, such as whether the data has been stolen or where the provider knows the information is in the hands of an unauthorised third party, should be assessed to determine where a breach is likely to adversely affect individuals' privacy, according to the Regulation.

However, the businesses are exempt from having to notify individuals about data breaches if they can show regulators to their satisfaction that the use of "technological protection measures" has rendered the breached data "unintelligible to any person who is not authorised to access it".

The Article 29 Working Party's new guidance includes examples of mock data breaches, their potential consequences and effects and has explained why, in those cases, businesses ought to inform individuals about them. It has also set out example safeguards businesses could have implemented in those mock cases to mitigate against the risks associated with those breaches.

The guidance also contains examples of when publicly available electronic communications service providers may be able to rely on the 'unintelligible data' exemption against notifying individuals.

Those cases include where certain personal data, such as passwords, have been "securely hashed and salted" or where data has been encrypted and the 'key' to decrypt the information is not compromised in a breach and can not otherwise be "ascertained by available technological means by any person who is not authorised to access the key", the Working Party said.

The watchdog confirmed that the obligation to report data breaches to individuals can be triggered where just one person is likely to be adversely affected by the breach and added that there may be occasions when data that is already publically available is further disclosed in a way that triggers the need to own up to a data breach.

Businesses are not obliged to inform individuals who are not affected by a data breach about that data breach, the Working Party said. However, it said it was important that organisations consider just who is likely to be adversely affected by a breach because a failure to notify individuals who should be informed of a breach may cause those individuals "distress".

All businesses will face a duty to report data breaches to regulators and individuals under certain circumstances if proposed new EU data protection laws are introduced as currently envisaged.

Recent research by Ovum on behalf of data security business Vormetric found that fewer than one in 10 mid-to-large businesses in the UK, France and Germany "feel safe from insider threats". According to the survey, 42% of IT decision makers in the UK said that system, database and network administators, among other "privileged users", "pose the biggest risk to their organisation".

"Controlling access to data poses a broad threat for organisations," a statement issued by Vormetric said. "For some, non-technical employees with legitimate access to sensitive data and IT assets are the biggest risk (49%), while for others even executive management such as the CFO or CEO are the top risk (29%)."

However, almost half of the respondents (47%) said that detecting "insider threat incidents" is now more difficult than it was in 2012.