A Guide to Data Breach Reporting Obligations

All too often, data breaches are a result of preventable, internal errors. These mistakes and the reputational damage that follow them are increasingly keeping business leaders up at night. What is often most concerning is that it’s not only the financial damage that can cause catastrophe. When the personal data of thousands of customers and partners are affected by a data breach, organisations can also face significant legal ramifications in the form of litigation and GDPR violations. This article will discuss the key considerations and steps that should be taken to reduce fallout and ensure reporting obligations are met in the event of a data breach.

In December last year, the European Data Protection Board published a guideline that covered examples of large, recent data breaches, with recommendations for how those and future data breaches should be handled (Guidelines 01/2021 on Examples regarding Personal Data Breach Notification).

In one example from the report, a bank suffered a cyber attack on one of its online banking websites. The attack aimed to gain access to all possible user IDs using a fixed trivial password. Due to a security vulnerability on the website, in some cases personal information of customers (including name, surname, gender, date and place of birth, tax number, user identification codes) was passed on to the attacker, even in instances where the password used was incorrect or the bank account was no longer active. Accounts belonging to 100,000 customers were potentially exposed and the attacker was able to successfully log in to approximately 2,000 accounts.

The bank became aware of the data breach because its security centre detected a high number of login requests on the website. In response, the data controller disabled the ability to log in and forced a password reset of the compromised accounts. Only the individuals who had been affected were notified about the data breach — no notification was made to the national supervisory authority. Because the breach involved financial data, this was a particularly serious incident.

Notification requirements under GDPR

In the aforementioned example, the fact that the national supervisory authority was not informed will very likely lead to investigations and serious consequences for the organisation. Data controllers are obligated to maintain certain protections over personal information under GDPR Articles 24 (1), 25 (1) and 32 (1). Article 33 stipulates that data breaches must be reported national supervisory authority — the Federal Commissioner for Data Security and Freedom of Information or state authorities in Germany. Furthermore, data controllers must notify all potentially impacted data subjects, in some cases, that will include those whose information has not been compromised.

The example above is certainly not an isolated case. Last year, the Federal Commissioner for Data Protection and Freedom of Information received 10,106 notifications of data protection breaches. Among others, companies from the telecom industry and postal services failed to report data breaches.

The 72-hour rule

Under GDPR, Article 4 (12) clearly defines that a "personal data breach" is "[...] a breach of security leading to the destruction, loss or alteration, whether accidental or unlawful, or to the unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." The spectrum of data breaches is wide and, incidentally, not limited to the digital world. It ranges from the publication of personal data on websites or on a notice board, to the incorrect disposal of data carriers and paper lists, the misuse of access rights or improper destruction of data.

An organisation’s data controller, whose duties are defined in GDPR Article 4, is obliged under Article 33 to report a personal data breach to the competent supervisory authority. According to Article 33, this must happen, "without undue delay and, where possible, within 72 hours of becoming aware of the breach.... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay."

What to report

According to GDPR, a data breach notification must contain at least the following information:

• a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects, the categories concerned and the approximate number of personal data sets concerned;
• the name and contact details of the Data Protection Officer or other contact point for further information;
• a description of the likely consequences of the personal data breach;
• a description of the measures taken or proposed by the controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

If the information cannot be provided in full within the specified time, the controller may provide it in stages. In addition, exactly happened to the data must be documented in detail. Data subjects must also be informed that a breach of the protection of their personal data has occurred due and may lead to a risk to their rights and freedoms.

GDPR fines top 1 billion

Organisations that do not comply with the legal requirements for reporting data breaches face heavy fines. For the particularly serious violations listed in the Data Protection Act under Article 83(5), the fine range is up to 20 million euros or, up to 4% of the organisation’s total annual turnover achieved worldwide in the previous financial year — whichever is the higher.

According to reports, 434 fines were imposed last year for GDPR violations, totalling €1.3 billion euros. Moreover, roughly one-third of organisations in Germany are still lagging in terms of GDPR readiness. It is therefore critical to clearly understand GDPR requirements, including notification obligations — not only to avoid fines, but to safeguard personal data in a legally compliant manner that upholds the interests of customers, partners and the organisation’s reputation.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.