EDPB’s case digest on Security of Processing and Data Breach Notification – all you need to know

Written By

ruth boardman module
Ruth Boardman

Partner
UK

I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.

james moss Module
James Moss

Partner
UK

I am a partner in Bird & Bird's London-based international Privacy & Data Protection practice. My background with the UK Information Commissioner's Office combined with experience as a regulatory law specialist in private practice gives me unrivalled insight into contentious data protection work and enforcement action.

The European Data Protection Board (EDPB) recently commissioned and published a thematic One-Stop-Shop case digest on Security of Processing and Data Breach Notification. Despite its somewhat dry title this document provides a wealth of valuable material on how Data Protection Authorities across the EU have dealt with decisions relating to Article 32 (security of processing), Article 33 (notification of breaches to supervisory authorities) and Article 34 (notification of breaches to data subjects) with most of the focus and attention concentrated around the A.32 matters.

What are the key themes and most important points? Read below to see the key takeaways.

Scope and Process

The survey draws together cases which have been dealt with by way of the One-Stop-Shop mechanism under Article 60 of the GDPR. What that means is that where there is more than one concerned supervisory authority in the EU, the authority which is deemed to be the Lead Supervisory Authority (‘LSA’) will conduct and lead the investigation but then seek views and input from all other concerned authorities. What this is designed to produce is an international consensus about the nature and severity of the breach, any appropriate penalty and any recommended remedial steps. As noted, the majority of the issues dealt with centre on compliance with A.32 which places an obligation on controllers and processors to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’; the report confirms that the majority of the decisions cited focus on the LSA’s assessment against these criteria. Whilst the phrase ‘appropriate technical and organisational measures’ will be familiar to data protection practitioners; it has historically been more difficult to state with certainty what exactly that would amount to in practice in any given situation. The position is made more complex by the fact that one of the key factors to be taken into account in assessing whether measures are ’appropriate’ is the current ‘state of the art’ in terms of security measures. Given the rapid pace of change within computer systems and the cyber security measures put in place to protect them, and the corresponding changes in methods by those seeking to unlawfully access the data contained within those systems, the state of the art remains a constantly moving target. The value of this survey is therefore not only to provide an up to date and comprehensive snapshot of measures which are deemed to be appropriate, or not, but also that it is done within the A.60 framework meaning there is a level of consistency and agreement between different supervisory authorities.

Key areas of focus

The survey sets the scene by clarifying the obligations under A.32 as set out above and is put forward in terms of providing insights to allow Supervisory Authorities to interpret those obligations in concrete situations. Key areas include how to protect organisations against hacking, how to ensure meaningful and robust encryption and how to implement strong passwords. Implicit in this is also that regulators can use this information in order to assess when and against whom they should be taking enforcement action for failing to comply with their A.32 obligations. This in turn means that controllers and processors have concrete examples of guidance points which they can use to make sure their security measures will stand up to regulatory scrutiny if tested. A summary table of the key findings cited is set out below.

The section on Article 33, regarding notification of data breach to the competent supervisory authority focusses on where the line should properly be drawn when deciding whether notification is required or not. In turn, the section on Article 34, regarding notification of data subjects seeks to provide clarity on when notification to data subjects is required.

Article 32

A key issue identified is that raised in the CJEU case of Natsionalna agentsia za prihodite (C-340/21) which addresses, amongst other points, the question of whether the occurrence of a personal data breach, in itself, is sufficient evidence to presume that there has been a failure to implement appropriate technical and organisational measures. The general thinking on this point has been that this cannot be correct, as it would mean that where a data breach occurred through no fault of the controller/processor it would still be deemed to be a breach of GDPR, effectively imposing strict liability for such breaches. The Court endorsed that approach and confirmed that A.32 must be interpreted as meaning that unauthorised access to personal data by a ‘third party’, is not sufficient, in itself, to establish that the technical and organisational measures that were implemented were not ‘appropriate’, and indeed that an obligation to demonstrate the appropriateness of those measures would make no sense if controllers were obliged to prevent all such breaches.

The analysis is then divided into looking at three categories of causes of personal data breaches, namely

  1. malicious attacks by external entities i.e., cyber-attacks
  2. breaches due to insufficient company practices and systems, and
  3. breaches caused by human error.

It is interesting, but perhaps unsurprising, that the majority of the cases decided under A.60 in this context relate to category one, namely malicious external attacks. This has long been an area of concern for organisations seeking to protect their businesses and the personal data they hold, not only from the serious effects of such malicious cyber-attacks but also the added regulatory risk of being penalised by data regulators for failing to do enough to guard against such attacks. Key themes in terms of measures that LSAs cite with approval include ensuring that there are robust company policies relating to data security, including those to combat phishing attacks and frequent awareness-raising for employees. Another point drawn out in a number of cases is that encryption of personal data, and the security of that encryption is a key factor in assessing the suitability of security measures. There is also particular focus in a number of cases on the importance of establishing proper access controls, to make sure that systems are locked down sufficiently and only those individuals who need to access particular data sets have the ability to do so. This is often a key problem with cyber-attacks, given that once an attacker has gained entry to one part of a system, without proper access controls they are often able to move into many other parts of the system making the negative effects much wider and more serious.

In relation to Category (2) one point of particular interest, which is likely to have practical implications for many organisations is the issue of sending out encrypted and password protected documents to company users, or in response to data subject access requests. The consensus here is clear that doing so by sending a protected email, shortly followed by another email with a (often very weak) password by the same channel is not sufficient to meet the requirements of A.32. Concrete recommendations on how to do this properly are set out in more detail but this is certainly an area that organisations should look at closely.

Regarding Category (3) the perennial errors of disclosing email addresses by the incorrect use of ‘cc’ and ‘bcc’ fields remains an issue. LSA’s recommend that technical measures are put in place to ensure as far as possible that this does not happen, and that various prompts and nudges are built into systems to minimise the possibility of it happening. There is also usefully detailed commentary on what is considered to be an appropriate level of security when setting and storing passwords, with the recognition that ensuring sufficiently strong and secure passwords are used is a key necessary measure to ensure the security of personal data.

A.33 Notification of Data Breaches to supervisory authorities

This section is less detailed, reflecting the number of cases relating to this Article. One case cited referred to the obligations under A.33(5) to document the details of a data breach and found that this had not been done sufficiently clearly for the LSA to identify whether the organisation had complied with its obligations under A.33. In another case, this being a point of particular interest, the point was clarified that where controllers experience a number of linked data breaches each breach should be notified as soon as possible after it occurs, rather than waiting to report all linked breaches together at a later date. It is apparent that such a combined approach does not find favour with regulators and doing so risks being penalised for late reporting of the earlier breaches. In that particular case the delay in notification was found not to be justified and accordingly to constitute a breach of A.33(1).

A.34 Communication of Data Breaches to data subjects

Only two cases are cited in this section. The first refers to a decision of the Bulgarian authority which includes their development of a methodology to assess the severity of the risk to the rights and freedoms of the data subjects affected. This approach is of interest as a broader consensus on this type of methodology would be valuable in assessing more objectively whether the threshold for notification of data subjects had been met in any particular case, in line with the methodology previously put forward by The European Union Agency for Network and Information Security (ENISA). The second case relates to the specific facts of a breach where the LSA agreed that it had been appropriate to notify affected employees but the threshold had not been met requiring notification to customers, as only employee data had been affected.

Conclusion

This digest of cases from across the EU is an extremely valuable resource and given that supervisory authorities are likely to use it as a reference when deciding what position to take, especially when investigating security breaches caused by malicious external actors, companies seeking to protect against such attacks would do well to do the same. One final point to consider is the UK position, given that post Brexit the UK is no longer part of the Article 60 mechanism and the ICO can take decisions independently of any European Union caselaw or guidance. Whilst that is the case, the ICO continues to cite with approval within its own guidance various pieces of EDPB guidance, including in particular that relating to personal data breach reporting. That being so it seems likely that even though not bound to do so the ICO will review and consider with approval the cases cited within this digest and will use it as a useful resource when considering cases under Articles 32, 33 and 34.

Figure 1. – Summary table of key findings re. Article 32

Category Cause of Breach/Issue  Key findings 
Malicious attacks by external entities  Acquisition of a company 
  • Attacker installed Remote Access Trojans in a company system, the company was then acquired with the  attack taking place after acquisition.  The acquiring company was held responsible and should have promptly taken steps to identify and remedy the security problem on acquiring the company (UK 2020)
  Key organisational measures 
  • Important to implement data security policies to protect against phishing, to have frequent awareness-raising campaigns for employees and to take steps to remind employees of how to safely handle emails (Spain 2022)
  Key technical measures 
  • These should be addressed on the basis of continuous risk management, by regularly assessing how effective the control measures put in place are
  • There should be a process for regularly testing, assessing and evaluating the effectiveness of the security measures in place (Spain 2021, Demark 2022)
  Encryption & HTTPS 
  • Sensitive data, such as bank details, should be encrypted to a sufficiently high level of security; one of the key failings here being pre-determining the initialisation vector which is a known vulnerability

  • No liability resulted where up to date encryption was in place but the breach resulted from a vulnerability in the latest version of third party software

  • Liability did result where HTTPS protocol was not used for pages with contact forms where data was submitted, and in other cases where HTTP was used rather than HTTPS leading to lack of appropriate security of information

  • Where HTTP was used it was recommended that the channel should be encrypted for all requests

  • Only encrypting e-mail traffic during transport is not sufficient to ensure end-to-end encryption as in this case the encryption ended before the message had reached the final recipient, but implementing additional security measures when accessing the emails upon receipt sufficiently mitigates the risk of unauthorised access

  • Using outdated OpenVPN servers and open SSH ports were unacceptable security vulnerabilities, as was a non-universal use of TLS encryption for all server types

  • Storing an unencrypted backup copy of a database, leading to a data breach, was a breach of A.32

  • Bank Card data should not be stored in plain text format and sent by unencrypted email

  • Steps should be taken to ensure the security and integrity of consent signals sent from consent management platforms to adtech vendors (France 2023, Germany 2021Sweden 2022, France 2021, Sweden 2021, Germany 2020, France 2022)
  Log Records 
  • Retaining accurate log records of access to a system is critical to track and detect anomalies and security incidents.  

  • Failure to review logging code was found to be a breach of A.32

  • Logging of events in relation to administration accounts is recommended but care should be taken to assess what information should not be logged e.g. sensitive personal data (Italy 2022, France 2021, UK 2020)
  Access Control Mechanisms 
  • Proper access controls should permit individual authentication of people allowed access to specific data sets.

  • The lack of such clear controls can lead to breaches of A.32 
Breaches due to insufficient company practices and systems   
  • Controllers should be vigilant to ensure technical and organisational measures being used by their processors are effective

  • Sending data via a protected email, shortly followed by another email with a (often very weak) password by the same channel is not sufficient to meet the requirements of A.32

  • Similar guidance applies equally to responding to DSAR requests

  • Systems to block suspicious high frequency login attempts should be automated and not manual to be effective

  • Access to systems should automatically ‘lock’ after an appropriate period of inactivity from the logged in user to prevent unauthorised access by others (France 2021, France 2021, Denmark 2021, Belgium 2022)
Breaches caused by human error   
  • Sending mass emails with all recipients in copy is a clear breach of data security obligations arising from a lack of appropriate measures to prevent a data breach

  • Accidental disclosure of one customer’s data to another is a breach of A.32 but can be mitigated by mandatory processes to report and manage such incidents

  • Lack of sufficient testing of security solutions, leading to reasons for data breaches not being identified was in breach of A.32 (Cyprus 2021, France 2021, Czech Republic 2019Iceland 2021)

 

If you need further guidance, please do get in touch with the contributors.

Latest insights

More Insights
cameras

What is an Emotion Recognition System under the EU’s Artificial Intelligence Act?: Part 1 - A machine that “understands” your Monday blues!

Nov 04 2024

Read More
Yellow mouse on a green background

Germany: Forwarding Business Emails to A Private Account: A Clear Violation of the GDPR

Oct 24 2024

Read More
Curiosity line pink background

China Cybersecurity and Data Protection Monthly Update - October 2024 Issue

Oct 22 2024

Read More