On 14 December 2021, the European Data Protection Board ("EDPB") adopted the new “Guidelines 01/2021 on examples regarding personal data breach notification” (the "Guidelines").
The Guidelines are intended to complement those already adopted by the “Article 29 Working Party” in 2017, entitled “Guidelines on personal data breach notification under Regulation 2016/679” and they reflect the common experiences of the supervisory Authorities of the European Economic Area.
On a further note, the Guidelines have the primary purpose of providing, through a practical and concrete approach also by dealing with case studies, a set of useful recommendations to help data controllers and data processors in deciding how to handle a data breach and what factors to consider during the risk assessment.
In particular, the EDPB Guidelines focus on data breach arising from different and frequent causes, such as:
- ransomware attacks: in these cases, a malicious code encrypts the personal data, and subsequently the attacker asks the data controller for a ransom in exchange for the decryption code. The Guidelines classify this kind of attack as a breach of availability, pointing out that often also a breach of confidentiality could occur;
- data exfiltration attacks: in these cases, such attacks exploit vulnerabilities in services offered by the data controller to third parties over the internet, typically aimed at copying, exfiltrating and abusing personal data for some malicious end. Hence, the Guidelines indicate that such attacks are mainly breaches of confidentiality and, possibly, also data integrity;
- internal human risk source: the role of human error in personal data breaches has been highlighted due to its common appearance. Since these types of breaches can be both intentional and unintentional, the Guidelines stress out that it can be very hard for the data controllers to identify the vulnerabilities and adopt measures to avoid them;
- lost or stolen devices and paper documents which contain personal data. In these cases, the Guidelines indicate that data controllers have to take into consideration the circumstances of the processing operation, such as the type of data stored on the device, as well as the supporting assets, and the measures taken prior to the breach to ensure an appropriate level
of security. All of these elements affect the potential impacts of the data breach. According to the Guidelines, these kinds of breaches can be always classified as breaches of confidentiality. However, if there is no backup for the stolen database, then the breach type can also be breach of availability and breach of integrity;
- mispostal, also in these cases the risk source is an internal human error but here no malicious action led to the breach. It is the result of inattentiveness. The Guidelines specify that little can be undertaken by the data controller after it happened, so prevention is even more important in these cases than in other breach types;
For each of the above-mentioned risk hypothesis, the Guidelines provide concrete examples, indicating the preventive measures to be adopted and the possible actions to be taken in order to mitigate damages in the event of a data breach, as well as the technical and organisational measures to be implemented.