When the GDPR took effect in 2018, it required notification within 72 hours to supervisory authorities in the EU of a data breach likely to result in a risk to the rights and freedoms of individuals, and subsequent notification to the individuals themselves if the breach could give rise to such a “high” risk. Unlike laws in the United States which specifically prescribe data elements that, if exposed, could meet this standard (e.g., social security numbers, driver’s license numbers, financial account information, etc.), the GDPR’s broad definition of personal data left many data controllers and legal experts alike struggling to identify the circumstances under which notification would be required. Given the stiff penalties for non-compliance with the GDPR, supervisory authorities were flooded with reports of data security incidents, notwithstanding that many such events posed no real risk to data subjects.
At long last, the European Data Protection Board (EDPB) has issued practical guidance on specific types of common security incidents to provide clarity around what constitutes a reportable event. The guidance reminds controllers that a data breach includes not only a compromise to the confidentiality of information – the standard by which U.S. laws judge incidents – but also the availability and integrity of personal data. Given this broader scope, it is possible to have a security breach that requires reporting in the EU but not in the U.S., for example, if data is encrypted by ransomware malware, but there is no indication it was viewed or exfiltrated.
The EDPB addresses the following common scenarios:
- Ransomware
- Malware
- Credential stuff
- Inadvertent disclosure
- Lost or stolen laptop
- Lost paper files
- Email Compromise
- Preventative security measures