Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the cancellation of Directive 95/46 / EC (General Data Protection Regulation), known as the GDPR, defines a breach of personal data security as an infringement which leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data which is transmitted, stored or otherwise processed. When they involve data processing in cyberspace, these violations are most often expressed in various types of hacker attacks, such as unauthorized access to computer information resources, destruction and alteration of computer data, password distribution and infection with computer viruses, service denial attacks / DoS, disfigurement of websites and resources / device, etc.
According to ENISA (European Union Cybersecurity Agency), 84% of cyberattacks rely on social engineering, which is a set of mechanisms and tactics, used by non-duty individuals (hackers) to manipulate a predetermined group of people (so-called targets), resulting in access to confidential information and personal data. The number of phishing attacks in the EU continues to grow, with the COVID-19 pandemic being a frequently used topic of messages containing malicious connections, redirecting users to phishing sites or downloading malware.
Ensuring an adequate level of protection in cyberspace: implementing preventive measures by the personal data controller
As a result of the many received notifications under the order provided in Art. 33 of the GDPR, regarding data security breaches realized in a digital environment, The Commission for Personal Data Protection publishes in its official website tips for data protection in cyberspace to controllers and processors. The Authority has found that computer systems and networks are extremely vulnerable and very often subject to malicious attacks. It is for this reason that it is recommended that administrators apply the following measures:
- Introduction of high requirements for passwords concerning length, use of combinations of lower and uppercase letters, numbers and special symbols, as well as with regard to requirements for periodic password change (60-90 days);
- Introduction of two-factor (multifactor) identification: input of additional information by the user (automatically generated code, PIN, answer to a secret question, etc.), in addition to the standard access password used, which is obtained on another device;
- Introducing a restriction on incorrectly entered passwords (between 3 and 5 incorrect access attempts);
- Regular software and firmware updates;
- Use of antivirus programs at a modern technical level;
- Use of firewalls;
- Regular archiving of the data for the purposes of their recovery in case of hacker attack and loss of their availability;
- Data encryption;
- Regular staff training in relation to data protection and cybersecurity rules;
- Introduction of a Cyber Security Accident Response Plan.
Obligations of the personal data controller in case of security breach
Each personal data controller shall establish procedures and mechanisms to facilitate the establishment and laying down rules for responding to personal data breaches subject to processing in its activities, as well as those for assessing the risks of such violations for the rights and freedoms of data subjects. The Personal Data Protection Act defines the concept of „ risk “ as the possibility of property or non-pecuniary damage to the data subject under certain conditions, assessed in terms of its weight and probability. The purpose of the risk assessment is to assess the specific circumstances of the infringement, including the severity of the possible impact and the likelihood of it occurring.
In the event of a personal data breach, the personal data controller is required to document it and notify the competent supervisory authority without undue delay and where this is feasible in view of the specific nature of the specific case – no later than 72 the hour after he found out about him. Such notification is not mandatory only if the administrator has carried out a risk assessment and has found that the breach does not pose a risk to the rights and freedoms of individuals. The notification shall provide information on the nature of the infringement, the categories and number of data subjects concerned, contact details of the official or other person and other information concerning the breach, according to Art. 33, para. 3 of the Regulation.
Notification of data subjects in case the personal data controller has assessed the level of risk of the breach for their rights and freedoms as high
The personal data controller is obliged to notify the data subjects when the personal data breach is likely to pose a high risk to their rights and freedoms. After carrying out and documenting a risk assessment, the controller determines the level of risk and, on the basis of the result, assesses whether to notify the data subjects affected by the breach. It is good practice to make such notification in any violation regardless of the level of risk. The notification shall be made without undue delay, and the personal data controller shall send a communication in clear and simple language, describing the nature of the personal data breach and indicating the information and measures provided for in Article 33 (3) (b), (c) and (d) of the Regulation (contact details, description of consequences, description of measures and actions taken).
Exceptionally, the personal data controller may not notify the entities if any of the following hypotheses exist:
- the controller has taken appropriate technical and organizational protection measures and these measures have been applied to personal data affected by the personal data breach, in particular the measures, which make personal data incomprehensible to any person who does not have permission to access them, such as encryption;
- the controller has subsequently taken measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
- the notification would lead to a disproportionate effort. In this case, a public communication is made or another similar measure is taken so that data subjects are equally effectively informed.
Actions taken by the personal data controller to limit the adverse effects of the breach
Depending on the nature of the breach, the personal data controller should analyze and take action as soon as possible to minimize the possible adverse effects of the infringement found. It is recommended that the administrator form a response team that includes various specialists – IT manager, lawyer, HR specialist, communications officer, data protection officer (or other person, to which similar functions are assigned), etc. positions in the organization whose official duties would be useful in the process related to documenting the violation, carrying out a risk assessment, notifying the persons concerned and the CLA, as well as defining and implementing measures to minimize the consequences of the violation.
The first and most important step for the administrator is to carry out the necessary technical inspections by experts, as well as a comprehensive internal investigation to establish the source of the problem and the possible impact on critical business functions / processes. The organization should take all necessary measures to limit the spread of the attack by selecting appropriate measures, including, for this purpose, the diversion of network traffic, the filtering or blocking of traffic, as well as isolation of all parts of the compromised network.
In parallel with the notifications made by the personal data controller in accordance with the requirements of the GDPR, the latter should also notify the competent authorities of the territory of the Republic of Bulgaria (Ministry of Interior) with a view to carrying out an investigation into the case and taking the necessary follow-up.
Author: Att. Zlatka Kotsalova