GDPR Rules of Data Breach Notification: How to Report Personal Data Loss and Avoid Fines?

The General Data Protection Regulation (GDPR) is a new global standard designed to codify and extend the rights of data subjects. The GDPR comes into force on May 25, 2018 and will replace the European Data Protection Directive 95/46/EC (DPD) effective now. GDPR fines can reach 10 million euros — substantially more than for violations of other standards, such as HIPAA, SOX and GLBA.

One of the key reasons that organizations are anxious about the GDPR compliance is its strict data breach notification requirement, specified in Articles 33–34: Organizations have only 72 hours to report a breach to supervisory authorities.

But don’t panic. In this blog post, Netwrix answers the top 5 questions about this requirement to help you get proper processes in place before the GDPR takes effect. We’ll also review three recent high-profile data breaches and see how proper breach notification was sorely lacking in each.

Frequently asked questions about the GDPR’s data breach notification requirements

1. What counts as a “personal data breach”?

According to Article 4 of the GDPR, a personal data breach is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data stored, transmitted or otherwise processed by the organization. This also includes incidents that result in personal data being only temporarily lost or unavailable. It’s critical to understand that this definition differs dramatically from other standards, such HIPAA, which limit the concept of data breach to unauthorized access and disclosure only.

Moreover, the GDPR protects a much broader set of data. According to Article 4, “personal data” means any information related to an identified or identifiable natural person (data subject), which includes not only names and personal identification numbers, but also location data, ethnic origin, political opinions, genetic and biometric data, and much more. In contrast, most U.S. compliance standards (e.g., PCI DSS and FISMA) protect only information that can be used to commit identity theft or fraud — typically, an individual’s name and a second piece of data like their Social Security number or payment card number.

2. How quickly do I have to report a data breach?

According to Article 33, data controllers and data processors must report a data breach to the competent supervisory authority within 72 hours of its discovery. In addition, if a personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” the organization must notify those individuals “without undue delay.” This is a tough deadline to meet — other standards typically mandate 30–45 days for breach notification. For example, HIPAA specifies 60 days and FISMA is stricter at 30 days, while standards like SOX and FERPA do not even specify a breach notification deadline.

3. What is the procedure for data breach notification?

Just like many other compliance standards in the U.S. and EU, GDPR does not specify an exact format for data breach notifications. However, Article 33 requires notifications to supervisory authorities to include the following information:

  • The nature of a data breach, the categories and approximate numbers of data subjects affected, and the data records concerned
  • The likely consequences of the personal data breach
  • The measures taken or proposed to address the breach
    The name and contact details of data protection officer (DPO) or other point of contact

Affected data subjects must also be notified in an effective manner, such as through email or by posting the notice letter on the company’s official website.

4. How high are the fines for non-compliance?

Article 83 specifies the penalties for violations of the GDPR. In particular, any violation of the data breach notification provisions (such a failure to report a data breach on time, provide a detailed description of a problem, or specify the measures that the organization will take) can cost the organization 10 million euros or 2% of their global annual turnover for the preceding financial year, whichever is greater.

View infographic (click on the image to open a high resolution version in a new tab)

5. Are there any other consequences on top of the fines?

Apart from imposing administrative fines, competent supervisory authorities have the right to issue warnings and reprimands, force organizations to report breaches to data subjects, and — in extreme cases — ban them from processing personal data (Article 58). However, there is a little chance that supervisory authorities will impose the maximum penalty for every security incident. As long as an organization cooperates with the investigation and demonstrates that it is working hard to improve security, they will probably avoid huge penalties.

Case studies: Three recent data breach notification failures

Research indicates that failure to report data breaches in a timely manner is often due to insufficient security controls and improper management decisions. C-level executives choose to conceal the breach to avoid heavy fines and reputational damage, neglecting the interests of the people who entrusted sensitive data to them and deserve to be notified if that data is compromised. The GDPR codifies and extends the rights of data subjects, so it will force these executives to rethink their response or face harsher consequences.

Here are three stories of companies that failed to ensure security of their clients’ data and promptly notify relevant parties about data breaches. In all three cases, organizations knew about security incidents long before they decided to report them — making a bad situation even worse. Once the GDPR is in force, similar behavior could easily result in a fine of 10 million euros.

1. Uber: Company pays off hackers to hide the theft of 57 million user records.

 What happened?

In October 2016, hackers stole the personal data of 57 million Uber customers and drivers. The company’s CEO, Travis Kalanick, learned about the breach in November 2016, a month after a breach happened — but the company failed to disclose the breach until a year later. Moreover, the company actually paid the hackers $100,000 to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

What data was stolen?

Compromised data included names, email addresses, phone numbers and other personal data of 57 million Uber passengers and drivers worldwide.

What was the result of the data breach?

Uber’s security officer, Joe Sullivan, was fired. Kalanick was forced out in June 2017, although he remains a board member. Uber is still under investigation in several countries (including the U.S., the UK and Italy), and faces multiple lawsuits from customers and drivers around the world. The final amount of fines for compliance violations has not yet been determined.

2. Yahoo: The largest hack in history went unreported for three years.

 What happened?

In September 2016, Yahoo revealed that a cyber attack had compromised 500 million of its user accounts. Then in December 2016, it admitted that an earlier data breach had affected 1 billion users, a number that was later revised to 3 billion — or every single Yahoo account that existed at the time.

That’s bad enough, but it gets worse. The first compromise took place in late 2014, and the second was even earlier, in August 2013 — yet neither was reported until late 2016. It’s not clear exactly when Yahoo learned about the breaches, but it seems likely that Yahoo executives knew about them long before they decided to disclose them.

What data was stolen?

User names, email addresses, telephone numbers, dates of birth, hashed passwords, and (in some cases) encrypted or unencrypted security questions and answers.

What was the impact of the data breach?

Yahoo was roundly criticized by members of the U.S. government and security experts for its late disclosure of the breaches and overall lax attitude towards security. Both the U.S. Securities and Exchange Commission and Congress are still conducting investigations. Yahoo was also hit with over 40 consumer class-action lawsuits. Finally, the breaches impacted Verizon’s acquisition of Yahoo in 2017: The original price of $4.83 billion was renegotiated down by $350 million and the deal was delayed by several months.

3. eBay: Data breach notification goes very, very wrong.

What happened?

In early 2014, hackers compromised the login credentials of eBay employees and used them to copy a database containing the records of 145 million users. Not only did it take the company a few months to discover the breach, but they waited two additional weeks to notify affected customers — many of whom had already learned about the breach from the news.

Moreover, when eBay finally posted a notification about the breach, they didn’t put it on their official website; instead, they first published it on a small corporate website, Then the company posted an unclear statement on PayPal’s site, which didn’t explain the situation and confused users, who thought their PayPal accounts might be also affected.

What data was stolen?

User names, home addresses, phone numbers, birth dates, email addresses and encrypted passwords.

What was the impact of the data breach?

The fact that hackers could easily access the personal data of eBay clients negatively impacted the company’s image and public relations. eBay faced a class action lawsuit, which was dismissed in 2015 due to lack of evidence of economic damage for customers. In June 2014, eBay’s CEO, John Donahoe, confirmed that eBay’s stock dropped by roughly 20% as a result of the data breach and shakeup of PayPal’s top management.

As these examples illustrate, data breach notifications need to be handled properly, especially once the GDPR comes into force. You need control over what’s going on with your data, as well as a clear and tested plan for responding to a breach.

IT infrastructures have become more complicated, so it is more difficult than ever to track data flows and guarantee that sensitive files are not overexposed. To be able to quickly detect data breaches and report them promptly as required by the GDPR, you need a clear understanding of what users are doing in the IT environment. Furthermore, knowing where your sensitive data resides and who has access to it will help you determine the scope of a breach and exactly which files might have been compromised.