One of the most challenging areas in data privacy compliance is on data breach management. The Data Protection Act, 2019 places an obligation on data controllers to notify the Data Commissioner and data subjects of some types of data breaches. Further, a notification must be done within 72 hours of becoming aware of the data breach. Data Processors must also report data breaches albeit to the data controller. What is a personal data breach and in what circumstances should an organisation make a notification? We tackle some frequently asked questions on this area of data privacy..
1. What is a personal data breach?
The Data Protection Act defines the term “personal data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, access to, personal data transmitted, stored or otherwise processed. From this definition we can categorise personal data breaches into three categories:-
- Availability Breach i.e. the loss, accidental or unlawful destruction of personal data
- Integrity Breach – an alteration or unauthorised change to personal data.
- Confidentiality Breach – unauthorised disclosure of or access to personal data
It is important to distinguish between a security incident and a data breach. A security incident is an event that compromises the integrity, confidentiality or availability of an information asset. For example, a malware attack which is contained before any data is lost, altered or accessed may be classified as a security incident as puts data at risk of exposure. On the other hand, a personal data breach is a security incident that triggers notifications to the Data Commissioner and, in some cases, impacted data subjects. In other words, it is safe to say that not all data security incidents are data breaches but all data breaches are security incidents.
2. How does a personal data breach occur?
According to Verizon’s 2021 Data Breach investigations Report, data 85% of data breaches involved a human element. Employees are a big threat to data security and can cause breaches in several ways including:-
- inadvertent action e.g. sending data to wrong recipients
- negligent actions e..g failing to follow stipulated security policies
- malicious actions e.g. phishing attempts directed at employees or malicious actions by former employees
Some famous data breaches involving employees include the Snapchat data breach in which an attacker pretending to be the company’s CEO, Evan Speigel, tricked an employee into emailing payroll information. The information related to over 700 current and former employees. In 2020, hackers comprised the credentials of two Marriott employees and gained access to 5.2 million records of hotel guests. In 2018, a former CISCO employee gained unauthorised access to the company’s cloud infrastructure and deleted 456 virtual machines thereby compromising 16,000 WebEx customer accounts.
Apart from employee actions, other causes of personal data breaches include:
- device (e.g. laptops or mobile phones) theft or loss
- poor information security measures such as use of public WIFI networks; and
- external hacking attempts including malware, DDOS attacks
3. What should we do in case of a breach?
Any organisation is susceptible to a personal data breach. In fact, in most cases it not a matter of “if” but rather “when the breach will occur. When an incident occurs, you should conduct an initial review to determine whether if it amounts to a personal data breach that poses a real risk of harm to data subjects. Some factors to consider in assessing risk include:
- nature of personal data breached. Regulation 35 (1) of the draft Data Protection (General) Regulations outlines types of data breaches that result in real harm to the data subjects.
- how the data breach occurred – time, key actors
- number of people of affected
- the impact of the breach on affected individuals
If your assessment reveals that the data breach poses a real risk of harm to individuals, you should report the data breach. If you are a data controller you should report the breach to the Data Commissioner within 72 hours of becoming aware of the breach. On the other hand, if you are data processor, you report the breach to the data controller within 48 hours of becoming aware of the breach. In some cases you may also need to notify the impacted individuals.
Apart from notification, you should also take remedial measures to mitigate the effects of the breach and to prevent future recurrence of the breach.
4. What is the best way to manage a breach?
There is no standard way of responding to a data breach, it all depends on the nature and size of your organisation. A good starting point would be to develop an incident response plan. The DPO should assemble an internal team to help in formulating the plan. The plan should articulate the steps to take in the event of a breach. In particular,
- how to identify and how to escalate the breach to the privacy team. Ideally, all breaches should be escalated to the privacy team who in turn should form a response team.
- the plan should outline a criteria for assessing and rating the severity of the risk (the criteria in point 3 above can be included in the assessment matrix)
- identify members of the response team and their roles and responsibilities. This includes responsibilities around investigation and actions to take in addressing the breach. The response team should include a broad range of stakeholders within the organisation e.g. IT, Risk, Compliance, HR, Customer Service, Legal, CEO and the Board etc
- how to notify the Data Commissioner and the data subjects of a breach
Once the plan is ready, train management and staff on key aspects such as how to identify a breach and how to escalate. In addition, you should streamline your HR process to make breach reporting a mandatory employee obligation.
You should also have a unified communication strategy. If a breach occurs, you do not want a scenario where everyone is addressing questions internally and externally. For consistency of messaging you should centralise communications.
5. What information should a breach notification contain?
As stated above, a notification to the Data Commissioner should be made by the Data Controller within 72 hours of becoming aware of the breach. In addition, the Data Controller must give a detailed account of the circumstances leading to the breach. This includes:
- the date and time
- how it arose including classes and volume of data affected
- the number of persons affected and potential harm
- the actions taken to contain it and prevent future occurrence
In addition, the Data Controller must also inform the Data Commissioner if it does not intend to inform impacted individual and give reasons for taking this course of action.
6. What if I do not have all the required information?
The Act recognises that sometimes it may not be possible for a Data Controller to investigate a breach fully within the prescribed 72 hour period. Thus, the Act permits the Controller to provide information in phases provided that this is done without undue delay. One way to comply is to notify the Data Commissioner within the 72 hours of becoming aware and provide the limited information you may have at hand. Alternatively, you may inform the Data Commissioner that you are investigating the breach and may not meet the expected reporting window.
7. Do I have to notify impacted individuals?
If the breach results in.a high risk of harm to the impacted individuals, then you must notify them of the breach.The assessment should be similar to what we have outlined in step 3 above. If you decide not to notify the impacted individuals of a notifiable incident, then you will need to give reasons to the Data Commissioner. Although there defined time limit for notifying the individuals, the Act does state that it should be done within a reasonably practical period. In essence, the delay should not be inordinate.
8. What happens if I do not report a notifiable data breach?
Failure to report a notifiable data breach is a violation of the Data Protection Act. It may expose you to administrative fines (Kes. 5 Million or 1% of gross annual turnover) or general penalties (Kes. 3 Million). In addition, you may be liable to criminal sanctions i.e. a maximum jail term of 10 years. Further, an affected individual may sue you for damages for harm suffered as as a result of the breach. Finally, your corporate image may also be dented leading to an erosion of consumer confidence and possible loss of revenue.
9. What is the importance of training ?
One of the most effective ways to reduce the incidents of security breaches is to train your staff. Staff are in charge of the systems and processes you have put in place to handle personal data. When employees understand data breaches and how to respond to them, they can have a direct positive impact in reducing data breaches or mitigating the consequences of breach.
All staff should be trained on security threats whether or not their work involves IT systems. The training should be customised to the role and function of the people being trained. For example, administrative can be trained on how to identify security threats, confidentiality and on how to handle external visitors. Customer service/call center teams can be trained on how to respond to queries relating to breaches. Those that handle IT system should have modules customised to the systems they handle. The modules should cover aspects such as breach identification, escalation of breaches, containment measures etc.
Apart from staff, you can also train your customers, suppliers and partners on your security expectations.
10. When and how should training be conducted?
Training should be carried out regularly throughout the lifecycle of the employment relationship i.e. from onboarding stage until termination of employment. Train at different times of the year. For example, you can train after an incident occurs or if you are implementing a work from home program. You can also train as part of a scheduled program.
Training can take different forms including classroom training, videos, newsletters, emails and posters, handouts, slogans and comics, webinars etc. One of the most effective ways to train is through simulated table top exercises e.g. planting a fake breach and not letting teams know so you can see how they respond. You can develop modules around the most likely cause of breach. You can also develop modules incorporating lessons learnt after an incident.
The bottom line is that training is necessary for effective data breach responses. The key is to ensure that the the trainings are relevant to your target audience.