Data theft, data manipulation, encryption of data by ransomware, or data loss, all these incidents are classified as data breaches under data protection law. Reports of data breaches are piling up and many studies are investigating the consequences of a data loss. But what exactly is meant by a data breach?
What is a data breach?
The General Data Protection Regulation (GDPR) defines a data breach thus: “personal data breach” means a breach of security leading, whether accidentally or unlawfully, to the destruction, loss, alteration of, or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Unlike IT security incidents, data breaches are obviously always about incidents that involve data. By contrast, what exactly constitutes the incident or mishap is not apparent. Therefore, there is a risk that the term data breach will be interpreted incorrectly or at least inaccurately. If, however, the term data privacy breach is too vague, the measures to prevent data privacy breaches cannot be formulated and implemented with sufficient accuracy. More clarity about the nature of a data breach is therefore important.
Instead of speaking of a data breach, the German Federal Data Protection Act (BDSG) uses the term “unlawful acquisition of knowledge of data.” Under the classic protection goals, confidentiality is thus affected, but not necessarily the integrity or availability of data. The GDPR, however, has a broader understanding of what might be called a “data breach.”
In the recitals that are part of the GDPR, one finds the statement: “It should be determined whether all appropriate technical protection, as well as organizational measures, have been taken in order to determine immediately whether a personal data breach has occurred.”
Thus, if in particular one of the required measures for the security of the processing (according to Article 32 GDPR) is missing, a personal data breach and thus a data protection breach can be assumed. A data breach also occurs if the integrity and availability of the data is affected, and also if the resilience of the systems and services related to the processing is not ensured.
Significance and recommendation for companies
The significance of data breaches is usually underscored in studies by citing financial loss: The loss or theft of critical data costs companies millions worldwide. A single incident strikes an average of up to four million U.S. dollars, according to the Ponemon Institute’s 2016 Cost of Data Breach Study.
It also points to the large amount of data affected: More than half a billion records containing personal information were stolen or lost, according to the 2016 Internet Security Threat Report. More companies than ever are not reporting the full extent of their data breaches.
n the official explanations of the GDPR, one can find other consequences of data breaches for data subjects that companies should keep in mind when considering the cost of data protection: loss of control over their personal data or restriction of their rights, discrimination, identity theft or fraud, financial loss, unauthorized removal of pseudonymization, damage to reputation, loss of confidentiality of data subject to professional secrecy, or other significant economic or societal harm to the data subject individual.
The wide variety of data privacy violations and concrete examples can be seen, among other things, in the activity reports of the supervisory authorities for data privacy (ZAfTDa) or in the overview of the Data Privacy Project.
Companies should consider the broad significance of data privacy breaches and the range of possible consequences in order to properly select and prioritize measures to prevent data privacy breaches.
For the companies themselves, it remains to be noted that with the GDPR there are stricter reporting requirements for data protection breaches and significantly higher sanctions. Surveys also show that customers take it very badly when a data protection breach occurs. For this reason, companies should not take a woolly view of data breaches but have a clear concept for prevention.