Webinar: The Essential Data Protection Course

28-29 October 2021

Luxembourg Technical Assistance Co-operation Programme for Serbia
““Strengthening Capacities to Implement EU Law””

European Institute of Public Administration - Institut européen d’administration publique

Data Breach: Recommendations for a practical

methodology and implementation
Florina Pop, Senior Lecturer
EIPA Maastricht

learning and development - consultancy - research EIPA, 10/26/2021 ©

Costs of Data Breaches

Fines Compensation claims for Reputational damage and

damage suffered loss of customer trust

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Agenda

Introduction

Prevent, Plan & Prepare

Detect & Assess

Challenges
Notify, Respond & Remediate

Audit & Improve

EIPA, 10/26/2021 - WWW.EIPA.EU ©

 Anatomy of a Data Breach

Definition
Art 3 (16) GDPR - a ‘personal data breach’ means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed under the responsibility of the EUI as a controller.

Key components of a data breach:

a) Threat – potential cause of an unwanted incident, which may result in harm to a system of
organization (e.g. ex-employee, a malware, cyber criminal, a malicious insider, a member of the
staff, natural disaster)

a) Vulnerability – weakness of an asset or control that can be exploited by one of more threats (e.g.
SQL injection vulnerability web applications, outdated anti-malware software)

A data breach occurs when a threat successfully exploits a vulnerability and

harms the organization’s information.

“data breaches are problems in and of themselves, but they are also symptoms of a
vulnerable, possibly outdated security regime” (EDPB Guidelines on Data Breach
Examples)
EIPA, 10/26/2021 - WWW.EIPA.EU ©
Root Cause of Data Breaches

people are the weakest link

Source: EDPS
EIPA, 10/26/2021 - WWW.EIPA.EU ©
Awareness – A Strategic Imperative

▪ Awareness/trainings
➢ Deliver trainings in the orientation phase for each new employee before processing personal data

➢ Repeat these regularly to develop muscle memory to identify red flags

➢ Trainings tailored-made to your organisation so that the employees can apply in their day-to-day activity

➢ Choose for creative trainings in small, frequent chunks & video content

➢ Ensure senior leadership are involved in the awareness campaign (leading by example)

➢ Assessment at the end of the training to test staff understanding and make sure that it is effective, which could
include a minimum pass mark

➢ Make sure the material is updated so that these address latest trends and alerts coming from cyberattacks or other
security incidents” (EDPB, Guidelines 1/2021 on Examples regarding Data Breach Notification)

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Addressing Latest Trends – Social Engineering

➢ BEC (pretend to be CEO or a client)

➢ Phishing - phishing tactics may rely on shotgun methods that deliver mass emails to
random individuals,

➢ Spear phishing – unlike phishing, this is a targeted attempt to steal sensitive information
such as account credentials or financial information from a specific victim

➢ Baiting – online and physical social engineering that promises the victim a reward

➢ Malware – victims are tricked into believing their computer has a malware installed

➢ Pretexting – use false identity to trick into giving information

➢ Quid pro quo – relies on an exchange of information or services to convince you to act

➢ Tailgating – relies on human trust to get physical access to a secure building or area
IT Operations
➢ Vishing – urgent voice mails to convince the victim to act quickly

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Addressing Latest Trends – Social Engineering

IT Operations
Source: Europol

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Addressing Latest Trends - Social Engineering

IT Operations
Source: Europol

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Quizzzzz
Time

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Quiz

✓ Data breaches are not detected

✓ Data breaches are not internally reported (only to IT Officer,
but not DPO)
✓ Security incidents are not identified as data breaches
✓ Data breaches are not correctly notified when necessary (to
SA)

EIPA, 10/26/2021 - WWW.EIPA.EU ©

 Plan and Prepare for Data Breach

Data Breach Protocol

✓ Defines data breach
✓ Includes data breach internal reporting procedure
✓ Define timelines and type of information to be disclosed
✓ Define roles and responsibilities of each stakeholder (Data Breach
Response Team)
✓ Contact details of all stakeholders involved (WFH may be a challenge)
✓ Additional communication channel for stakeholders (systems down)
✓ List of external cybersecurity entities

Not only on paper, train the stakeholders so that they

can react on short notice
EIPA, 10/26/2021 - WWW.EIPA.EU ©
Data Breach Flow Chart

Set up an e-mail address

DPO No
Inform DPO/Security
immediately Officer
Personal data DPO / IT Investigate the
Risk ?
breach occurs Officer/ data breach
Security and the
Officer) severity
Yes
If Security
considered DPO - Officer -
high risk, Report data Contain
notify breach to Eradicate
impacted SA Remediate
individuals Recover

Review if it
is likely to Record and
occur again close the
and take case
prevention
action (aud
EIPA, 10/26/2021 - WWW.EIPA.EU ©
Asses & Notify a Data Breach

▪ Severity Assessment

▪ Notification Data Protection

Authority – 72h
(Art 33 GDPR / Art. 34 Reg. 2018/1725)
The information may be provided in phases in order to
avoid delay (follow-up notification)

▪ Notification Data Subject – as

soon as reasonably feasible Warning!
(Art 34 GDPR / art 35 Reg. 2018/1725)
The controller must involve the DPO throughout the personal data breach management and
notification process (both notification to the EDPS/SA and communication the data subject).

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Notification to the Data Subject - Deadline

▪ As soon as reasonably feasible and in close

cooperation with the SA, except when:
- prior measures implemented by controller, that render the personal data intelligible, e.g.
encryption,
- subsequent measures taken by controller which ensure that the high risk is no longer likely to
materialise,
- disproportionate effort for the controller (public communication or similar measure).
▪ Prompt communication - need to mitigate an
immediate risk of damage
- Helpful to have a data breach communication template
▪ More time for communication - no immediate risk
that needs mitigation
- PR strategy – communicate the breach together with the mitigating measures

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Severity Assessment

ENISA’s Recommendations for a methodology of the assessment of severity

of personal data breaches

Definition

“Severity of a breach is defined as the estimation of the

magnitude of potential impact on the individuals
derived from the data breach”

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Asses – Severity Assessment

The main criteria taken into account while assessing the severity of a data breach are:

▪ Data Processing Context (DPC)

Addresses the type of the breached data, together with a number of factors linked to the overall context of
processing.
▪ Ease of Identification (EI)
Determines how easily the identity of the individuals can be deduced from the data involved in the breach.
▪ Circumstances of breach (CB)
Addresses the specific circumstances of the breach, which are related to the type of the breach, including
mainly the loss of security of the breached data, as well as any involved malicious intent

The final score will be obtained by using the following schema:

SE = DPC x EI +CB
▪ Record your assessment in the DATA BREACH REGISTER!

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Asses – Severity Assessment
▪ Data Processing Context (DPC) – score between 1-4
Addresses the type of the breached data, together with a number of factors linked to the overall context
of processing:

A. Classifies the data in at least one of the four categories:

• Simple (e.g. full name, contact details, family life, professional experience, etc.) - score 1
• Behavioural (e.g. location, traffic data, data on personal preferences or habits, etc.) – score 2
• Financial (income, financial transactions, bank statements, investments, credit cards, invoices, etc.) – score 3
• Sensitive data (health data, political affiliation, sexual life, etc.) – score 4

B. Assess the occurrence of certain aggravating factors (data volume, special characteristics of the controller or the
individuals, invalidity/inaccuracy of data, publicly available (before the breach, nature of the data)) and if they exist
increase the score

E.g. simple data usually score 1 except when

a) controller is aware of an aggravating factors (e.g. volume of the data, potential for profiling or assumptions about individual’s social/financial status
can be made – score 2,
b) when the characteristics of the controllers can lead to assumptions about individual’s health status, sexual preference, etc. – score 3
c) when due to the characteristics of the individuals – vulnerable groups or minors, the information can be critical for their personal safety/psychological
conditions) – score 4

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Severity Assessment

▪ EDPB Guidelines on Data Breach Examples

“practice-oriented, case-based guidance”

✓ Ransomware with/without proper backup and with/without exfiltration

✓ Exfiltration of data / hashed passwords from a website
✓ Exfiltration of business data by a former employee
✓ Accidental transmission of data to a trusted third party
✓ Lost or stolen devices or paper documents
✓ Mispostal
✓ Social engineering

▪ Handbook on Handling Personal Data Breach

- “aims to establish facts for each facet of the processing”
- “quicker source of information to allow data controllers to mitigate the
risks and avoid undue delays”

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Notify - Dutch DPA Notification Form

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Dutch DPA Notification Form

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Dutch DPA Notification Form

EIPA, 10/26/2021 - WWW.EIPA.EU ©

EDPS – Personal Data Breach Notification Form

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Respond - The Squad…in Details

DPO HR
Legal

PR IT / Cybersecurity Operations
Operations

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Response & Remediate to Data Breach

▪ Unexpected Challenges

▪ IT/Cybersecurity unavailable to provide information in 72h

(e.g. logs edited or removed, unclear whether an exfiltration took place of not)
Meet the deadline with the notification to avoid warnings from SA, a follow-up notification preferable in the following 2 weeks
▪ Daily meetings Data Breach Response Team + Management on the status of the
containment and notification strategies

▪ Employees’ representatives or Working Councils will put pressure on the management

DPO

▪ Plethora or requests to access from the data subjects (Article 15 GDPR)

▪ Art. 82 “Any person who has suffered material or non-material damage as a result of an
infringement of this Regulation shall have the right to receive compensation from the
controller or processor for the damage suffered”
EIPA, 10/26/2021 - WWW.EIPA.EU ©
Audit and Improve

Lesson learnt and corrective actions

Review procedures
Awareness trainings
Record - Data breach register
Investigation by the supervisory authority

EIPA, 10/26/2021 - WWW.EIPA.EU ©

Do You Have
Any Questions?

EIPA, 10/26/2021 - WWW.EIPA.EU ©