Do you know what to do in the event of a security breach?

A Security Breachis any incident in which the confidentiality, integrity and availability of personal data (names, IDs, addresses, email, telephone, bank details, etc.) of those groups with whom we interact (customers, employees, suppliers, job applicants, etc.) is compromised.

It can be caused voluntarily or involuntarily, by external people or by people who are part of our team.

Some examples of security breaches:

–Lossor theft of paper documents, digital information or computing devices.

–Accessto paper documents or digital information by unauthorized persons.

-Information hijackingin which cybercriminals demand a ransom.

Every day there are more and more news of companies that have seen their security measures compromised and it is a fact that having the company protected is a necessity to provide confidence to customers and employees, but it is also a legal obligation.

The Security Breach Notification Report for March 2023 has been published, highlighting the following:

208 notifications received
In the last 12 months, 1851 notifications have been accumulated.
Gap typology:

-Confidentiality: 169

-Integrity: 13

-Availability: 81

Means through which the gap materialized:

What do I do if I suffer a security breach?

Given that no one is exempt from suffering a security breach, we must be clear about the steps to follow in the event of such an incident.

First of all, it should be remembered that, according to Article 34 of the GDPR, the communication to the affected persons of a security breach will be mandatory when the following requirements are met:

When to notify stakeholders of the security breach?

When the exposure of the data as a result of the breach generates a likelihood of high risk to the rights and freedoms of the affected individuals, as well as the damages that whether they are reversible or not.

Who must report the security breach?

In general, the person responsible for the processing of the affected data.

In the event that the security breach has been suffered by the Data Controller, the latter may only notify the data subjects if this has been provided for in the contract signed with the data controller. However, the data controller must be notified beforehand in any case.

Who needs to be notified of the security breach?

Those affected by the security breach will only be notified when the breach poses a high risk to their fundamental rights and freedoms.

How long do I have to notify those affected?

The RGPD and the LOPD-GDD state that without undue delay, i.e. as soon as possible once it has been identified which data has been exposed and which persons have been affected.

If it is not communicated as soon as possible, it will have to be justified to the affected parties and, if applicable, to the national(AEPD) or regional supervisory authority. If the communication comes from an order issued by the AEPD, it will have to be demonstrated that this obligation has been complied with within 30 days from the notification of the order to the person in charge.

How can I notify those affected of the breach?

It is recommended to choose a method that is fast and reliable, for example, by e-mail, SMS or even instant messaging, if you have the consent of the interested parties to use it.

What should I report?

The explanation of the circumstances in which the security breach occurred must be explained in clear and simple language, as established in Article 34.2 of the GDPR.

In addition, the content of the communication should be as follows:

The events that occurred, indicating the cause of the security breach: cyber-attack, sending data in error, cyber incident, loss of information, etc.
Means by which the security breach occurred: illegitimate access, internal or third party disclosure, data leakage, etc.
Identify the categories of data compromised in the security breach: basic data, contact data, images, financial data, banking data, health, genetic, sex life, religion, beliefs, among others.
Consequences of the security breach: clearly state what could be the consequences of the exposure of the data, such as being subject to fraud, extortion, identity theft, moral damage, etc.
Actions taken to remedy the problem and minimize the effects of the security breach: briefly describe the actions taken to remedy the situation, as well as tips on how to report if effects such as phishing, fraud, etc. occur.
Inform of the existence, if applicable, of the data protection officer, as well as his or her contact details.

What happens if I do not communicate the security breach to those affected?

Article 74 ñ) of the LOPD-GDD considers non-compliance with this obligation as a minor infringement.

However, if it is the AEPD who forces the responsible party to communicate the security breach to the affected parties, and the responsible party does not comply with the Agency’s order, it will be considered a serious breach, according to article 73 s) of the LOPD-GDD.

It should be recalled that the penalties for infringement range from 40,000 euros to more than 300,000 euros, and penalties exceeding one million euros by a legal entity will be published in the Official State Gazette, as provided in Article 76.4 of the LOPD-GDD.

If you must inform those affected, you must also inform the AEPD.

After the case has been analyzed by the Data Protection Delegate(if he/she is obliged to appoint one) or, failing that, by the Data Protection Consultant, it will be determined whether it is necessary to inform the Spanish Data Protection Agency(AEPD) as the national control body or the corresponding regional control body, within a period not exceeding 72 hours.

All information necessary for the clarification of the facts that would have given rise to the improper access to personal data will be included (art. 33.1 RGPD).

In the case of public entities with autonomous competences, the security breach must be communicated to the competent Autonomous authorities for the protection of personal data.

Being proactive in the face of security breaches

The best way to prevent a security breach is to prevent it, and a good way is to have experts audit your cybersecurity and IT security situation.

If you are a Business Adapter® customer, we will send you an expert to make this audit FREE of charge.

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]