Security Breaches and Violations of Personal Data Security

Security breaches - what now?

When a business discovers a security breach, they must act swiftly to implement security measures.  When a breach alarm is triggered, it is often unclear where a potential breach comes from or whether it is an external or internal event that triggered the alarm. In such cases, the company should have a documented and tested crisis management process, including, among other things, a review of monitoring systems and other forensic analysis work.

During such investigations, it is often necessary to review large amounts of log data from firewalls, IT systems, etc. Implementing such log systems usually involves monitoring employees’ use of electronic equipment within the company. Initially, such monitoring is prohibited, however the email regulations state that the company can monitor employees’ use of electronic equipment to “detect or clarify security breaches in the network.” Detecting and clarifying security breaches can be interpreted that log data can be inspected both during the acute security incident and in subsequent forensic work, which aims to further clarify the causes and consequences of a security breach.

When the company inspects log data, privacy must be preserved. The company must ensure that they only process the information necessary for that purpose. During the acute phase, data essential to uncovering the security breach and possibly stopping it can be analyzed. In later stages, the goal will be to clarify the security breach.

The amount of log data that needs analysis in individual cases will vary depending on the type of event, but the company must conclude all log analysis when the security breach is clarified and/or resolved. All investigations and assessments must be documented in an internal report in the company.

Breach of personal data security

In addition to identifying the cause of the security breach, the company must determine if this constitutes a breach of personal data security. A breach of personal data security must be reported to the Data Protection Authority as soon as possible and no later than 72 hours after the breach is discovered. If companies foresee that necessary investigations will take longer than 72 hours, they should send a temporary notification to the Data Protection Authority, outlining what is known so far about the breach.

However, reporting to the Data Protection Authority is not necessary if it can be demonstrated that the breach does not pose a risk to the rights and freedoms of individuals. The exception should be interpreted strictly, and the company should be almost certain in its assessment before deciding not to report a breach. If uncertain, it’s advisable to inform the Data Protection Authority for the sake of prudence.

If it is probable that the breach of personal data security will involve a high risk to individuals’ rights and freedoms, the company must also notify the affected individuals of the breach without undue delay. Examples of breaches that may pose a high risk are identity theft, financial loss, damage to reputation, or loss of confidentiality for sensitive personal data.

Potential consequences of privacy breaches

Security breaches can pose a significant threat to a company’s reputation, and if not addressed within the legal framework, it can lead to fines, liability for damages, and other regulatory actions. Therefore, we recommend that companies invest sufficient time and resources in preventive measures and develop robust internal control systems to prevent such breaches. Additionally, training is essential, so employees know what to do – and not do – when the alarm goes off.