By Christopher Laing | Security Consultant at Nettitude
Please note: The following blog post is relevant to our UK and European readers specifically, although the concept of identifying a data breach is relevant on a global scale.
In our line of work, we very often see businesses rush into panic mode when they suspect a data breach. From releasing confidential information to a body who does not have permission to view it, to secure systems being hacked, there are many ways that personal data can be exposed either intentionally by malicious activity, or unintentionally by internal staff. Whilst there are some simple best-practice housekeeping which can be applied to prevent such breaches, unfortunately, data leaks still happen. The key to handling such data breaches, is firstly, knowing how to identify one.
Whilst it can seem like a major disaster at the time, sending your workforce into panic mode, sometimes the mishandling of data isn’t yet a breach. In this case, knowing how to identify a data breach is your best asset, before having to cry wolf! In the following blog post, we’ll cover how you can identify a data breach, so that you can take the best appropriate action should your business ever suffer a breach (touch wood!).
The relationship between data and the General Data Protection Regulation (EU-GDPR)
Before discussing the meaning of a data breach, let’s firstly examine the relationship between data and the General Data Protection Regulation (EU-GDPR). In the context of GDPR, data is defined as ‘personal’ data and ‘special category’ data. The UK Information Commissioner’s Office (ICO) defines personal data as being information that relates to an identified or identifiable individual, while special category data is defined as information detailing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and genetic information, biometric data, and a person’s sex life (including their sexual orientation); otherwise known as sensitive data. For the purposes of this blog post, I will merge ‘personal’ and ‘sensitive’ data into the generic term: data. There are additional GDPR restrictions on those organisation’s that process sensitive data, but for the purpose of dealing with a data breach, an organisation’s obligations remain the same, whatever the type of data being processed.
Is GDPR still relevant?
Hang-on, what about Brexit, surely the UK will be leaving the EU on December 31st 2020, and therefore the EU-GDPR no longer applies right? Unfortunately, this is a popular misconception, and just to be absolutely clear, during the transition phase of the divorce, all current EU laws (and this includes the EU-GDPR), will continue to be enforced within the UK. Indeed, even after the divorce, the UK will continue to apply the EU-GDPR. This is because the amended Data Protection Act (2018) enacts the EU-GDPR regulations into UK law. The Data Protection, Privacy and Electronic Communications Amendments etc) (EU Exit) Regulations (2019) defines a data protection regime known as the UK-GDPR, which will come into force after the UK leaves the EU. So, for the foreseeable future the GDPR is here to stay.
What are the types of data breach under GDPR?
Having discussed the applicability of GDPR and the classification of data, let us now turn our attention to the 3 types of data breach. What do we mean by a data breach? Some commentators have defined a data breach as the release of confidential information to an untrusted environment, which, given the GDPR’s focus on the privacy of an individual, is in some respects perfectly correct, but it misses some subtle elements.
For example, the ICO states that: there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed. While the ISO defines a data breach as: compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to protected data transmitted, stored or otherwise processed.
The key elements to take away from these definitions are (i) data loss/disclosure, (ii) data corruption/alteration, and (iii) data unavailability. These can be compressed into three terms, namely confidentiality, integrity and availability. So, from a UK-GDPR perspective, a data breach can consist of one, or all of the following:
- Loss of data confidentiality
- Loss of data integrity
- Loss of data availability
Let’s now take each of those in turn, and try to illustrate what they may mean by using some examples.
Loss of Data Confidentiality
So, within the context of information security, what do we mean by data confidentiality? The International Organization for Standardisation (which is rather confusing known as the ISO defines confidentiality as the property that information is not made available or disclosed to unauthorised individuals, entities, or processes. From that, we can assume the loss of data confidentiality is the reverse, namely: information is made available and/or disclosed to unauthorised recipients. It is worth noting that this disclosure can be either accidental or deliberate, however, in this example, it was an accidental disclosure.
Inquiry launched after HIV clinic reveals hundreds of patients' identities (The Guardian, September 2015)
Loss of Data Integrity
Next on our list of potential GDPR data breaches is loss of data integrity. The ISO defines integrity as the property of accuracy and completeness. Consequently, the loss of data integrity would imply that the information is inaccurate and/or incomplete. It is worth pointing out that the ICO will make no distinction between an accidental or deliberate loss of data integrity; a loss of data integrity is still a data breach, and companies will be fined accordingly.
Prudential fined after inaccurate personal data records lead to mistaken customer funds transfer (BBC News, November 2012)
Loss of Data Availability
Last on our list of potential GDPR data breaches is loss of data availability. The ISO defines integrity as the property of being accessible and usable upon demand by an authorised entity. It would therefore seem logical that the loss of data availability would suggest that the information is inaccessible and unusable when required by an authorised user. Fortunately, organisations as part of their business continuity activities, normally have data backups, which in itself can cause unexpected consequences with uncontrolled and unmanaged data copies circulating around differing organisational departments. Examples of loss of data availability, could include accidental data destruction, or ransomware making data unavailable. To my knowledge, the ICO have yet to fine any organization for the loss of data availability, but there have been cases where the ICO have fined organisations when data, especially sensitive forms, has gone missing.
What are your GDPR data breach obligations?
An organisation’s GDPR data breach obligations are really quite simple. When any security incident occurs, the organisation must quickly identify if a personal (including special category) data breach is an element of that security incident. In the situation where a personal data breach has occurred, then the organisation must immediately take control of that situation, this may include deploying additional data protection controls. However, it is most important that within 72 hours of a confirmed personal data breach, the organisation has informed the ICO, and without undue delay those individuals whose data has been impacted by the breach.
So, there you have the three defining factors which classify a data breach – Loss of data integrity, loss of data confidentiality and loss of data availability. Whilst it may seem like a time to panic, staying calm and identifying early on how your data has been breached can be the most powerful tool in preventing the incident from becoming a full-blown situation. We hope the below advice has put you on the path towards a better understanding of how to identify a breach, in which we also advise many of our clients to undergo staff training on such issues. By investing in your workforce to be able to handle such events, it can help your business to identify if a situation really is a data breach before crying wolf, and in the unfortunate event that you do have to, your workforce will be much better equipped to handle such a situation.
For more advice on GDPR, head over to our webpage, or take a look at the training courses on offer. In addition, if you do happen to experience a data breach, we have a dedicated Incident Reporting page where our team are ready to provide you with the help you need within the hour.
Got questions? Please don’t hesitate to get in touch with your local Nettitude Information Security Consultancy (ISC) Team.