Data breach management in the light of the guidelines of the European Data Protection Board. General lines and the question of ransomware.
On 14 January 2021, the European Data Protection Board (EDPB) approved and published guidelines on measures and procedures to be taken to prevent a data breach and mitigate its effects where it has occurred.
The data breach, i.e. the malicious or accidental violation and processing of personal data, is certainly the event in the light of which the entire GDPR was written and then made operational.
In general, the threats to which personal data may be exposed as a result of a breach are: the loss of confidentiality resulting from their publication; the loss of integrity resulting from their alteration, the loss of availability resulting from the impossibility of accessing it and/or their destruction.
In general terms, the GDPR requires the controller to:
document any breach as it has occurred, the effects it has generated and the remedies that have been adopted;
any breach as it has occurred, the effects it has generated and the remedies that have been adopted; notify the breach to the regulatory authority, unless it can be predicted that it has not endangered the rights and freedoms of the data owners.
The guidelines consider many scenarios, including ransomware (cracking data encryption with subsequent demand for a ransom to make them available again).
The four cases of ransomware
Ransomware can be configured in various ways for context and severity of effects, and guidelines take into account four school cases:
encryption of data protected by backup, but already encrypted at the origin by the controller, without theft of the data;
encrypting data that is not backed up by clear-cut backups without theft of the data;
encrypting data processed by a hospital, protected by backup, stored in clear, without theft of the data;
encryption of data not protected by backup and with theft of the same.
The guidelines show what prevention measures should be and how the risk assessment and possible notification of the infringement should be carried out in these four cases.
In the first case, the presence of a backup and encryption at the origin of the data by the controller are very effective counter-measures against ransomware, because the first protects the integrity and confidentiality of the data, while the second guarantees the availability of the data
It follows that the controller may only document the breach without obligation to notify the controller and the data controllers.
In the second case, the lack of backup and encryption aggravate the consequences of the violation and the risk to the rights and freedoms of the owners as a result of the violation of the compromise of confidentiality and availability of data. It follows that, if the risk to the rights and freedoms of data controllers is not to be considered very high, the controller may only/must document the breach and notify the regulatory authority.
In the third scenario, malicious data encryption also puts at risk the availability and confidentiality of data, and this risk seriously endangers the rights and freedoms of their owners as a hospital processes sensitive data (such as health data) and in relation to a high number of
However, the availability of an electronic backup allows their restoration in acceptable time terms. In this case, the documentation of the breach and the notification of the violation to the regulatory authority must be added, in view of the high risk of compromise of the rights and freedoms of the data owners, the notification to each of them of the infringement.
The fourth scenario, due to the absence of an electronic backup and data theft, must be followed by the almost immediate implementation of all three mitigation measures of the consequences of data impairment of availability, integrity and confidentiality; and thus: documentation of the breach and notification of the data.
What to do to minimize risk
From the quick examination of the four scenarios, some lessons can be learned about the security measures and technical solutions that the controller must implement to minimize the risk of ransomware.
We need to constantly update software and hardware, build structures and systems sectioned to minimize the propagation in the ransomware network, set up an updated backup system, prepare an effective and updated firewall, prepare a
Who is the author
Class 1968, classical maturity, degree in law at the State University of Milan, rapporteur prof. Alberto Santamaria (thesis on the antitrust law of the Community in the field of radio and television) Giovanni Ricci, registered at the Bar since 2002, is partner of the law firm Edoardo Ricci Lawyers, founded by the lawyer prof. Edoardo Ricci, professor emeritus of civil procedural law at the State University of Milan until 2010. Giovanni Ricci, is responsible for the department of civil responsibility of the study, has deepened the health responsibility and related issues (medical malpractice) and gained significant competences in the matter of protection of personal data and the legislation and Regulation no. 679/2016/EU (GDPR)