Data breaches
⚡TL;DR
- Controllers must take technical and organizational measures (TOMS) to ensure the security of the data they process.
- In the event of a data security breach, you might have to notify the authorities and/or the data subjects.
- A data breach policy is an internal guideline ensuring your team will react properly and quickly to a data security breach.
A data breach is any violation of security measures that, whether accidental or not, results in the loss, modification, deletion, destruction, disclosure, or unauthorized access of personal data.
For example, these are data breaches:
- A cyberattack against your website exfiltrating data to the attacker.
- A marketing email sent to all your clients listed in "cc." instead of "bcc.".
- Employee A receiving by mistake via email the payslip of employee B.
- A ransomware attack blocking all your data where no backup is available.
Controllers are required to ensure the security of the personal data they process to avoid data breaches.
The risks are not only to fail to comply with the law but also reputational, as a data breach will damage your company's reputation and scare customers and investors.
While you'll never be blamed for being hacked, you might be responsible if you previously did not take the appropriate technical and organizational measures to prevent attacks.
Best practices
Data breach policy: An internal data breach policy is implemented, including an annex to list all incidents and the measures taken. As part of the policy, a one-pager with key information is easily accessible.
Data breach responsible person: A person is designated internally as the responsible person for handling data breaches. All other employees know about the person, how to notice a data breach, and when to notify the responsible person.
TOMs: Technical and organizational measures are taken with notably the purpose of limiting data breaches and ensuring sensitive data safety. An exemplary list can be found in the annex of our free DPA generator. For more complex cases, it is worth discussing with an IT specialist.
Data breach policy
In the event of a fire in a building, you need a plan to act correctly despite the stress. A data security breach policy follows the same idea.
The policy includes:
- How to recognize a breach;
- How to communicate the existence of the breach internally;
- Who should do the first analysis consisting of:
- Concrete risks;
- Potential measures;
- Potential damages;
- When and who to notify about the breach.
Technical and organizational measures
There is no fixed list of technical and organizational measures that must be taken to prevent data breaches. Generally, this means any measures able to ensure the confidentiality, availability, integrity, and security of the processed data.
It includes the following measures:
- Define who is competent for data privacy within your organization.
- Train employees regularly (1x/year).
- Make sure employees are aware of the policy. A company can only react properly to a data security breach if its employees actually know how to recognize data breaches and how to react to them. The company must foster a culture where employees will communicate any problems related to personal data they notice.
- Ensure that each employee has their own account (email, Slack, etc.).
- Be technically able to erase data on your employees' laptops.
- Pseudonymize data.
- Ensure basic security against malware.
Notification
In the event of a data breach, you must act quickly:
In Switzerland under the FADP
As a controller, you must notify as soon as possible (i.e., approximately within 72 hours):
- The FDPIC (supervisory authority) if the breach is likely to cause a high risk for the personality or the fundamental rights of the data subjects. You must include the following elements: (i) nature of the breach, (ii) consequences, and (iii) measures taken or planned.
- The data subjects if this is necessary for their protection or if required by the FDPIC.
As a processor, you must always notify the controller. The time to do so is defined in the agreement but is usually 24 hours.
Make sure that these deadlines are reflected in your data breach policy and that all employees are aware of the policy.
In the EU under the GDPR
As a controller, you must notify within 72 hours:
- The competent national supervisory authority, if the breach is likely to result in a risk for the data subject.
- The data subjects, if this is likely to result in a high risk for the data subject or if required by the supervisory authority.
As a processor, you must always notify the controller. The time to do so is defined in the agreement but is usually 24 hours.
Make sure that these deadlines are reflected in your data breach policy and that all employees are aware of the policy.
Update incident list
Updating an incident list and listing all incidents (even the minor ones) serves two purposes:
- Enabling your company to update the preventive measures based on past incidents.
- Demonstrating (i) that you took measures following a data security breach and (ii) what these measures are. This will ultimately limit the responsibility of the company and the responsible person by proving the breach was taken seriously.
- Align with your security consultant to implement technical and organizational measures.
- Book a free call with us here to implement the data breach policy. Check out our assessment packages, where this policy is included.