Blog
Risk Management

Data breach, should we communicate?

Par
Alessandro Fiorentino
Partagez cet article
hacking of personal data on websites and notification obligations under the RGPD

Leaks, loss, destruction or even access to personal data by cybercriminals are not new, and the General Data Protection Regulation (GDPR) does not have the pretense or superpower to stop them in their tracks. On the other hand, the GDPR imposes a number of organizational and technical measures to ensure the confidentiality, integrity and availability of personal data to react as quickly as possible when these incidents occur.

Zero risk does not exist

This is what happened to the job search site Monster.com or Option Way which, back from the summer period, were victims of a hack of the personal data of thousands of Internet users. If the sites react immediately, Monster.com seems to have concentrated its efforts in taking offline the insecure web server on which all the stolen data was stored, ignoring an action, however mandatory, in this case.

The CNIL in fact refers to three actions in the event of a data breach: the formalization of internal documentation that will be placed in the register of violations, the notification of the violation to the CNIL and the information to the persons concerned. These are mandatory or not depending on the risk incurred by the persons concerned. However, for Monster.com, it was only when the press leaked the news that the company defended itself that it was not subject to this obligation to inform, being an American platform. However, it seems unlikely that this job search site would not hold a single piece of data on a few residents of the European Union, in which case the GDPR and its notification requirements would apply. We may also think that the risk for those concerned is high; applying elsewhere is generally not appreciated by the current employer and may be a source of reprisals.

Conclusion, Monster.com should have warned these users. But before throwing the first stone, are you sure you would have behaved the right way? Let's not hide it from us, it is often difficult to admit, as an organization, that we have failed in our task in protecting the personal data that is entrusted to us.

Best practices in the event of a data breach

The RGPD and the CNIL describe the obligations of the data controller and the subcontractor when these events, of accidental or illicit origin, occur. Indeed, it is mandatory for the data controller but also for the subcontractor (if the latter receives formal instructions (explicitly provided for in the subcontract) to notify the supervisory authority, at the latest within 72 hours after becoming aware of the violation.

The point, however, that should not be overlooked is cited in article 34 of the GDPR, which states that when a violation is” likely to create a high risk for the rights and freedoms of a natural person ” the data controller must communicate as soon as possible to this person, in clear and simple terms. However, the question remains for data controllers: when does a risk start?”high” for the rights and freedoms of an individual?

How do you analyze the seriousness of a violation?

Indeed, it is by determining the seriousness of the violation that communication to the persons concerned will be an obligation or only a recommendation for the data controller.

The approach would start from studying the causes and origin of the incident, to then examining the chronology of events and the analysis of the risks of the breach on the data and on the rights and freedoms of the persons concerned. Finally, by drawing up a report on the security measures present before and after the incident, the data controller will be in a position to assess whether the level of severity of the incident is negligible, limited, significant or maximum. Only when the two highest levels of severity are reached, is communication to the persons concerned mandatory.

Let's take the example of a data leak, certainly non-sensitive data but at least important enough to be able to launch global phishing operations (data contained on a resume: telephone number, postal address and email). In this case, the risk analysis of the violation would have helped to determine whether the communication to the persons concerned was in this specific case an obligation of the data controller or only a recommendation.

Concretely, how do you inform the people concerned?

The information can take the form of a letter summarizing the steps listed above as well as the recommended and highly recommended security measures (changing passwords, verifying the information entered on the profile, etc.) If you are an Adequacy customer, remember that letter templates are preloaded in the solution.

Rush, silence, or even concealment during a data breach are all false good ideas. Above all, it means taking the risk of losing the trust of your customers, partners and even employees in your organization. If the GDPR imposes a certain transparency on data controllers, the question of going beyond the legal obligation arises. Thus, upon reading the Qwant returns With regard to its indexing difficulties, we can only note the benevolence of users when organizations assume their faults and responsibilities.

Profil de DPO

The latest news

News

Adequacy obtains the EcoVadis gold medal: a recognition of our CSR commitment

Alessandro Fiorentino
News

Adequacy ranked best GDPR compliance software by Déciders Magazine

Alessandro Fiorentino
Extraterritorial Laws and Related Laws

Data Privacy Framework: 3 factors of an inevitable shock

Alessandro Fiorentino

They have trusted us for years

Used by over 10,000 legal entities

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.
Let's discover together how Adequacy adapts to your reality on the ground.
Request a quote