Data Breaches: the new scenarios

According to the Clusit 2021 report, the number of cyber attacks has grown constantly over the last few years.
All studies looking at data breaches have come to the same conclusion: any Italian company which processes information will have at least one personal data breach every year. Moreover, if you consider that the COVID-19 pandemic is “intensifying” the shift to smart working and digitization of companies, sometimes in a disorderly manner, the risk of being subjected to an attack becomes ever higher.

First and foremost, we have to understand precisely what a data breach is: a data breach is nothing other than a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed which involves the privacy, integrity or availability of personal data.

Companies suffering a data breach must:

1. Restore their business as soon as possible, whenever the data breach is due to an attack which has an impact on corporate operations as well as on the protection of personal data, aiming to meet an RTO (Recovery Time Objective) and RPO (Recovery Point Objective) which is as short as possible, depending on the type of business.  To this end, the business continuity plan – i.e. the set of procedures which guide the organization in the response, recovery and resumption of business following an interruption – must be set in motion. In particular, it is necessary to also implement a subset of the business continuity plan, the disaster recovery and/or cyber event recovery plan, that is the set of procedures which guide the organization in recovering the IT services (applications, data, hardware, electronic communications etc.) which are essential for operational continuity.
2. Handle compliance aspects, including:

• Notify the Italian data protection authority (Garante) within 72h of gaining knowledge of the incident (except for some cases which are identified following a specific risk analysis)
• Notify data subjects of the event without delay (with the exception of certain cases)
• Document the event in a dedicated register of breaches to be provided to the data protection authority in the event of audits, containing all breaches which have occurred and the potential threats that the company may be subjected to in order to allow the Controller to implement all necessary technical measures.

Given the time constraints involved in carrying out these provisions, it is of fundamental importance that the activities to be performed are adequately documented in a clear, consolidated and documented procedure.  Indeed the Data Protection Officer, as fundamental as this position may be, is not sufficient to ensure correct management of a Data Breach – this is an emergency situation which requires numerous prepared and trained parties to work together both on the basis of regulations and internal procedures.   

As regards relationships with the data protection authority, pursuant to article 39 of the GDPR, the DPO is the point of reference. They must “act as the contact point for the supervisory authority on issues related to the processing” and “inform, support and provide guidance” to the Data Controller.

The DPO is a key person for effective and timely management of data breaches, above all when you consider that the company is in a situation characterized by:

1. Urgency: notification of the data protection authority must be made within 72 hours, and any notification of data subjects must be performed without delay
2. Need for analysis expertise: in order to determine whether to notify the data protection authority and/or the data subjects, it is necessary to:

• Carry out a risk assessment relating to the rights and freedoms of the data subjects
• Be familiar with the procedures required by the Italian Data Protection Supervisory Authority
• Adequately document notifications

Based on the above considerations, we need to ask ourselves: what is a company/organization risking if it does not correctly manage a data breach?

1. Prohibitions: the data protection authority can prohibit activities relating to illegitimate processing (e.g. it can prohibit profiling of users, block websites etc.)
2. Financial penalties: in the event of failure to comply with data breach legislation, fines can be applied of up to ten million Euros or 2% of global annual turnover
3. Reputational damage: today, a company’s reputation is closely linked to its ability to ensure adequate protection of personal data entrusted to it.

An important tool for determining the seriousness of data breaches is represented by guideline 1/2021 of the EDPB, based on an approach composed of analysis of actual data breaches.

For example, it describes the case of an identity theft carried out by a cyber criminal who contacts the call center of a service, pretending to be a customer, and asks for the billing address to be changed. The case in question focuses on the importance of preliminary measures, and therefore on the proactive approach that an organization must take to deal with the new challenges posed by the market and technology. The case in question presents a high level of risk, since the billing data can provide information on the data subject’s private life (daily habits, contact details etc.), and can consequently cause significant material damage (consider the example of a stalker obtaining the home address of their victim). It is therefore essential to implement a multi-factor authentication system, for example sending of a confirmation email request to the actual customer who signed the contract.

Once a data breach has occurred, reacting in a correct and timely manner is essential. A matter of hours to make mandatory notifications, analyze the risks to the rights and freedoms of the data subjects, analyze the impacts on the organization, identify of the security measures in place, and those which can be implemented.

Cybersecurity and compliance aspects meld together in an emergency situation which could have serious reputational repercussions.

These characteristics of data breaches require the importance of the following phases to be highlighted:

1. Preparing for a breach: before a breach occurs, it is necessary to put in place a series of documented procedures and carry out personnel training. In addition to this, it is essential to have an overview of the IT systems used, the data stored in them and the security measures adopted.
2. Reacting to a breach: following a breach, it will be necessary to put in place the measures established in phase 1 in a timely manner. The DPO and other persons involved must make the mandatory notifications and perform the necessary analysis and assessments in the manner and forms established by the procedures.
    

In both phases, support from sector specialists is of fundamental importance, and can lead to major differences in the fines and penalties which may be applied.