A data breach! What should you do? - Part 1: data breaches

What is a data breach?

According to the EU General Data Protection Regulation (GDPR), a data breach is defined as a 'personal data breach'. This means that personal data has been lost, destroyed or altered as a result of a breach of security, that unauthorised access has been gained to it or that it has been disclosed without authorisation. This does not necessarily have to be done with malicious intent. Even an email in which the recipients are accidentally included in the cc instead of the bcc can constitute a data breach.

Data breaches can be roughly divided into three categories:

• Breach of confidentiality: personal data is viewed by or shared with unauthorised persons.
• Breach of integrity: personal data is unintentionally or unlawfully altered.
• Breach of availability: personal data is (temporarily) inaccessible or is destroyed.

A data breach is often a cyber incident, but not every cyber incident is also a data breach. A data breach must usually be reported to the Data Protection Authority, but not always. Data subjects only need to be informed if there is a high risk to them. Other parties must be informed in accordance with the contractual agreements that have been made. 

Consequences

The consequences of an incident are often significant. For example, services or products may become inaccessible, such as electronic patient records that cannot be consulted. Sensitive data may also be exposed, as was recently the case with the data breach at the laboratory for cervical cancer screening.

Organisations may also face reduced customer confidence, reputational damage and high recovery costs. Those affected may suffer reputational damage and identity fraud. If it appears that the GDPR has been violated, those affected who have suffered damage can claim compensation and the Data Protection Authority can issue a warning or impose a fine.

First aid for data breaches & cyber incidents

What should you do if something goes wrong? It is not always possible to prevent a data breach or other cyber incident. To help organisations, we have drawn up a practical step-by-step plan entitled 'First aid for data breaches & cyber incidents'. This step-by-step plan consists of the following steps:

The 13 steps:

• Step 1: Assess the situation
  What exactly happened? How and by whom was the incident discovered? This information forms the basis for the next steps.
   
• Step 2: Call the insurer
  Do you have cyber insurance? If so, call the insurer's emergency number immediately. They will guide you through the process.
   
• Step 3: Put together a crisis team
  Quickly bring the right people together: at least the executive, the person responsible for IT/security (CISO, if there is one) and don't forget the DPO. Also call in a technical expert. Don't have a regular expert? We will be happy to put you in touch with our cyber partners.
   
• Step 4: Take immediate action
  Ensure that leaks in the system are plugged as quickly as possible and that as much data as possible is saved. Limit the damage where possible.
   
• Step 5: Check the reporting obligation with the NCSC (within 24 hours!)
  Does your organisation fall under the Dutch Wbni or the Cyber Security Act (NIS2)? If so, you may need to report the breach to the Dutch National Cyber Security Centre within 24 hours. Not sure? Contact us, we will be happy to advise you.
   
• Step 6: Report a data breach to the AP (within 72 hours!)
  Is the data breach reportable under the GDPR? If so, the controller must report it to the Data Protection Authority within 72 hours. Late or non-reporting may result in a fine. We can help you prepare and submit the report.
   
• Step 7: Inform the persons concerned
  Is it a high-risk data breach? Then the individuals concerned must be informed as soon as possible. We can help you draft a clear and comprehensive message.
   
• Step 8: Investigate alternative suppliers or service providers
  Identify which alternative suppliers or service providers are available (if necessary). We can advise you on the contractual implications of engaging other parties.
   
• Step 9: Report the incident to the police
  If cybercrime is involved, it may be useful to report it to the police. We can help you gather information and contact specialised cyber departments within the police force. This will increase the likelihood that your case will be taken seriously.
   
• Step 10: Update reports in a timely manner
  Do the reports to the NCSC or the Data Protection Authority need to be supplemented? Make sure this is done on time. We are ready to help you with this.
   
• Step 11: Record the incident in the internal register
  Record the incident in the internal data breach register, even if it was not a reportable data breach. Don't have a register yet? We will be happy to provide one.
   
• Step 12: Investigate whether damages can be recovered
  We will work with you to determine whether you can recover damages and from whom.
   
• Step 13: Prevent recurrence
  Prevent future incidents by taking preventive measures.

We will explain this step-by-step plan in more detail in our next blogs.

For a number of tips, see our previously published blog: Data breaches in practice: three tips | Ploum. 

Contact us

Looking for more information about data breaches or other cyber incidents? Feel free to contact one of our lawyers if you have any questions about the step-by-step plan or if your organisation needs support.