The most recent data breach to hit the headlines at the time of writing is Ubers (The Guardian, 22 Nov 2017: “Uber faces slew of investigations in wake of 'outrageous' data hack cover-up”
), a massive global breach last October effecting 57 million drivers & passengers. This is right on the heels of the Equifax breach in which the social security numbers of 143 million Americans were exposed. Uber have not yet provided a breakdown by country of those effected nor have they notified individuals whose details have been compromised. It has emerged however that Uber have paid hackers $100,000 to destroy the information and keep the breach quiet.
In the Guardian article referenced above, a representative of the UK’s Information Commissioner’s Office is quoted as saying that Ubers response “raises huge concerns around its data protection policies and ethics”. Under GDPR (General Data Protection Regulation) such failures would expose Uber to a potential fine of up to 4% of their annual revenue. Based on their 2016 revenue of €6.5 Billion this equates to a possible fine of $260,000,000.
Given the potential impact of such data breaches on data subjects, the subject of data protection gets increased focus under GDPR, stipulating both preventative & reactive requirements. There are six aspects to the GDPR requirements in the event of a personal data breach:
Note Under article 4(12) a Personal Data Breach is defined as
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
1. The Uniform Breach Notification Rule
The requirements associated with post-data-breach notification have been made uniform across the EU. There will no longer be any variation from one member-sate to the next.
2. Data Breach Notifications & the Supervisory Authority
Where a data breach results in a risk to the rights and freedoms of individuals, data controllers are obliged to notify the competent supervisory authority without undue delay. “Undue delay” means within 72 hours of becoming aware of the breach. When notifications occur outside this 72 hour window the controller is required to provide a reason for this delay.
3. Data Processor to Data Controller Notifications
Data processors, on becoming aware that a personal data breach has occurred, are required to notify the data controller without undue delay
4. Data Controller to Data Subject Notifications
Where there is a high risk to the rights and freedoms of natural persons in the event of a personal data breach, the data controller is required to notify the data subject of the breach without undue delay.
A notification is not required in the following instances:
- Where the data controller had already implemented technical & organisational measures (e.g. encryption) and applied them to the personal data effected by the breach such that the personal data is rendered unintelligible to anyone who is not authorised to access it.
- The data controller has subsequently taken measures to ensure that the high risk to the rights and freedoms of those effected is no longer likely to materialise
- Where it would require a disproportionate effort. In these cases a Data Controller is required to make a public communication to ensure that effected data subjects are effectively informed.
5. Content of Notifications
When providing data breach notifications to supervisory authorities data controllers are, at a minimum, required to:
- Describe the nature of the personal data breach
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained
- Describe the likely consequences of the personal data breach
- Describe the measures taken or proposed to be taken by the controller to address the personal data breech.
6. Record Keeping & Policies
Under GDPR, to facilitate the supervising authority’s ability to verify the data controllers compliance with their notification responsibilities, data controllers will be obliged to keep a data breach register documenting the facts relating to the personal data breach, its effects and the remedial action taken.