This blog article covers the GDPR obligations on all organisations when handling a data breach and the role of the Information Commissioner’s Office (ICO).
Data Protection law in the UK is governed by the Data Protection Acts (1998 and 2018) and the General Data Protection Regulations (GDPR). Data protection law applies to every business or organisation which stores, processes and controls personal data. The data can come from employees and customers and may include names, addresses, telephone numbers, and any other personal identifier.
What is a data breach?
A data breach occurs where personal data is accessed without authorisation and it causes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier (such as usernames), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
A personal data breach can include personal data being lost or stolen on computer devices, access by an unauthorised third party, loss of availability of personal data, sending a data subject’s personal data to the wrong recipient, or personal data being altered without permission from the data subject.
What should an organisation do in the event of a data breach?
The GDPR imposes a legal obligation on all organisations handling personal data to report significant breaches to the Information Commissioner’s Office (ICO) within 72 hours of the organisation becoming aware of the breach.
When an organisation suffers a data breach, it must:
- undertake an initial assessment to establish the severity of the data breach;
- contain the data breach and, recover, amend or restrict the availability of affected data, to the extent that this is reasonably practicable;
- determine whether anything further can be done to recover the date and/or other losses, to minimise the damage caused by the breach;
- determine whether the breach is likely to adversely affect any data subjects’ rights and freedoms, if so, those individuals and the ICO must be notified of the breach without undue delay. However, if the breach is unlikely to pose a high risk, it does not need to be reported to the ICO;
- determine the best course of action to resolve and remedy the data breach; and
- record the breach and initial steps taken in a Data Breach Register.
Recent examples of data breaches
British Airways suffered an attack between 22 June 2018 and 5 September 2018, where a hacker accessed the BA Citrix platform using compromised details obtained from a third party supplier’s employee based in Trinidad and Tobago. The total number of affected data subjects was 429,612. Remarkably, once BA found out what was going on, it took less than 2 hours to respond by identifying this malicious activity and to block the transmission of personal data to the attacker’s website. BA then filed a breach notification form with the ICO 24 hours later.
In September 2016, Marriott bought Starwood Hotels. In July 2014, an external threat actor installed remote access Trojans to Starwood’s site, giving that attacker unrestricted access to any devices connected to the Starwood network and allowing the attacker to permit system reconnaissance. From there, the attacker was able to exfiltrate guest data contained within Starwood databases. On acquiring Starwood, the compromised IT system and databases became Marriott’s problem despite the IT systems and databases of both companies being kept separate. Marriott used Accenture to manage Starwood’s IT and it was Accenture who alerted Marriott to the attack on 8 September 2018. However, Marriott did not file a breach notification with the ICO until 22 November 2018, which all good data protection practitioners will realise that as being somewhat later than permitted.
All three controllers were found by the ICO to be negligent regarding the various data breaches that occurred and were fined accordingly.
In the US, T-Mobile’s systems were recently subject to a cyberattack that compromised data of millions of our customers, former customers, and prospective customers. The company said its investigations identified approximately 7.8 million current T-Mobile postpaid customer accounts’ information in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Fortunately, the breach did not expose any customer financial information, credit card information, debit or other payment information but, like so many breaches before, some SSN, name, address, date of birth and driver’s license/ID information was compromised.
Where does Legal Utopia fit?
Legal Utopia provides businesses with support on a range of common legal issues and disputes via its Legal Checker service on a fixed subscription basis on the Legal Utopia app, providing further legal guidance and resources to navigate the GDPR and ICO obligations.