Security breaches : How to prevent them
What is a security breach?
According to the General Data Protection Regulation, a security breach is an incident involving a breach of security, resulting in the accidental or unlawful destruction, loss or alteration of personal data, or the unauthorized disclosure of or access to such data.
This figure is contemplated in articles 33 and 34 of the RGPD and, in short, it involves a security incident that, in general, involves an exposure of confidential personal data, so it is very important to design an action plan before starting any data processing, as it is a real threat to the rights and freedoms of data subjects.
It is precisely the impact on the rights and freedoms of data subjects that makes it possible to classify a security incident as a real security breach, so the data controller must be aware of what actions can generate such incidents to manage them as such; however, there will be many occasions in which they do not affect personal data, such as when you receive an email with an unexecuted malware, or there has been an attempted cyber-attack that has not come to fruition.
In these cases, it is also necessary to be proactive and monitor this type of situation, because although it does not affect personal data, it can generate other damages to the data controller or data processor, so the best recommendation is to periodically review the controls that make up the management system of information systems, to reinforce them if necessary.
Examples of security breaches
Unfortunately, in many cases, security breaches do materialize, as cyber-attacks are very sophisticated.
Recently, the Twitch platform suffered a security breach, affecting confidential files and data of streamers. In order to prevent such incidents, it is essential to know how to identify them, and therefore, we present below some of the most illustrative examples.
Most commonly, this is a ransomware attack, where what happens is that a malicious code encrypts personal data and the attacker then asks the data controller for a ransom in exchange for the decrypted code. In other words, this occurs when, for example, a company’s computer systems are exposed and the data stored on these computers is encrypted, allowing access to customer and employee data, affecting the availability and confidentiality of the data, which may result in the company’s activity having to be halted until the exposed information is restored or, much worse, having to request all the information again from customers, which would mean the temporary cessation of the company’s activity.
In many other cases, security breaches will not be associated with such sophisticated attacks, but simply with human error. Imagine a situation in which an employee of a company, before being fired, copies customer data from the company’s database and then uses it for his own benefit in the next company. This is clearly a security breach, caused by illegitimate access to the company’s database.
This situation reveals that, in order to prevent security breaches, not only sophisticated technical measures must be implemented, but also simple questions, such as who should have access (or not) to the databases, must be defined in the company’s security policies.
Finally, a security breach can also occur unintentionally, when, unlike in the previous case, an employee, through lack of diligence or inattention, sends documents containing personal data by means that do not have the appropriate security measures.
As can be seen, the prevention of security breaches involves the implementation of technical and organizational measures in the organization, depending on the characteristics of the organization or the type of data being processed. In any case, what is essential is employee awareness and training, since this, together with the existence of protocols such as backups and other more sophisticated technical measures, will greatly reduce the impact of a security incident of this type.
How to act in the event of a security breach?
We warn that the most important thing is for every company to have an action and management plan for security breaches defined in advance, and that this is the only way to act in an effective and organized manner, avoiding major damage.
Depending on the figure, you act in one way or another; if you are the data controller, it is your responsibility to notify the incident to the competent supervisory authority and to the affected data subjects; if you are the data processor, you have the obligation to inform the controller about the breaches affecting the processing operations in charge and help in the management of the same and, if on the other hand, you are the Data Protection Officer, you have the role of advising the controller/processor about their obligations and responsibilities and cooperate with the supervisory authority, acting as a point of contact.
According to Article 33 of the GDPR, as soon as the responsible party becomes aware that a security breach has occurred, the supervisory authority must be notified, with a maximum of 72 hours; however, we recommend that you notify the incident as soon as possible, in order to resolve it as soon as possible.
However, it is not mandatory to notify all of them, applying this exception when the controller can ensure that the breach is unlikely to pose a risk to the rights and freedoms of natural persons, taking into account that, whenever special category data is involved, the production of damage is considered likely, so it would be best to communicate it to the competent supervisory authority as soon as possible.
There are many more things to know about security breaches, just let us know!