Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
Which is the difference between a security accident and a data breach?

Which is the difference between a security accident and a data breach?

In many cases the implementation of the data breach procedure by the data controller with its notification to the Data Protection Authority with respect to the article 33 of the GDPR may result in the implementation of specific administrative sanctions, also financial penalties, by the Authority. It is not a rule, but the probability is high. For example, we can think to the recent provisions recalled into the newsletter of the 19th of February 2021 where the Data Protection Authority, with reference to the health structures, while it was sanctioning it has remembered that the data controllers shall adopt all the technical and organizational measures necessary in order to avoid that personal data of data subjects will be communicated accidentally to other people. 

Indeed, not all the personal data breaches are caused by external attacks, but they can also be caused by simply errors or inadequate procedures. 

I think that this is an important aspect that we must underline, because,  in order to overcome a breach it is fundamental that the data controller is able to recognize it. At the article 4, paragraph 12, the European Regulation n. 2016/679 (GDPR) defines the personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. We are facing a concept which is clearly specified. 

The meaning of “distribution” of personal data shall be clear: we have a data distribution when those data do not exist anymore or do not exist in a form which is useful for the data controller. Even the concept of “damage” is evident: it occurs when personal data have been modified, corrupted or when they are not complete anymore. With “loss” of personal data we intend the case in which personal data could exist, but the data controller can have lost the control or the access on them, or he/she might not hold them. 

Finally, no authorized or illicit processing can include the personal data sharing to (or the access by) recipients who are not authorized to receive (or have the access to) personal data or any other form of processing in breaching the regulation. 

As underlined by the European Data Protection Authorities, into the Guidelines “Guidelines on the notification of personal data breached according to the Regulation (EU) 2016/679” which were adopted on the 6 of February 2018, what need to be clear is that a breach is a type of a security accident. 

Anyway, as mentioned in the article 4, paragraph 12, the Regulation is applicable only in case of personal data breach. The consequences of this breach is that the controller is not able anymore to guarantee the compliance with the principles relative to the personal data processing, in accordance with the Article 5 of the GDPR. 

This point highlights the difference between a security accident and a personal data breach: meanwhile all the personal data breaches are security accident, not all the security accidents can be personal data breaches (a security accident is not limited to threats models in which an attack is carried out against the organization outside itself, but it includes also accident which arise from the internal processing which can breach security principles.)

Also a security accident which determines the unavailability of personal data for a specific period of time makes a breach, because the lack of the access to personal data can have an important impact on rights and freedoms of natural persons. 

It is different the case of the unavailability of personal data due to the performance of maintenance work of the system which does not form a “security breach” according to the article 4, paragraph 12.

As in the case of the lack or the permanent disruption of personal data (or any other type of breach), a breach which implies the temporary lack of availability shall be reported in compliance with the article 33, paragraph 5 of the GDPR.

This helps the data controller to demonstrate the assumption of responsibility to the supervisory authority, which could ask for consultation with those registrations. Anyway, related with the circumstances in which it occurs, the breach can ask or not for the report to the Supervisory Authority and the notification of natural persons involved. The data controller shall assess the probability and the severity of the impact of personal data on rights and fundamental freedoms of natural persons. 

In accordance to article 33, the data controller will carry out the notification unless it is improbable that the personal data breach presents a risk for rights and fundamental freedoms of natural persons. At this point it shall be assessed case by case. 

We have to remember that the European Data Protection Board (EDPB) has started a consultation on Guidelines 1/2021 about examples of personal data breaches. 

In the same Provision, the Board states that a breach may result in physical, material or immaterial damage to natural persons whose data have been violated such as discrimination, identity theft, reputational damage, financial losses, loss of confidentiality of personal data protected by professional secrecy, etc.

(For further information on how to manage personal data breaches, please refer to the course organized by Federprivacy: “Data Breach: planning and managing before, during and after the event” planned on the 13th of May 2021.)

SOURCE:FEDERPRIVACY

Recommended to you

Advanced Research