Law firm that takes care of its clients

Clear Action Plan is Crucial to Avoid Mistakes in the Event of a Personal Data Breach or Cyber Attack

In case of a cyber attack or a personal data breach, quick decisions need to be made to avoid errors of any kind. To prevent such incidents and respond efficiently, it is advisable to have a Cybersecurity and Data Protection Incident Management Plan. In this article, Aurelija Rutkauskaite, a partner at Triniti Jurex, discusses the content and importance of such a plan.

What should a Cyber Security and Data Protection Incident Management Plan include?

The structure of the plan depends on the internal culture and communication style of the organization, ranging from detailed rules to specific instructions. Regardless of the format, the content must address what constitutes a security breach, who is responsible for implementing the plan, and what steps are required.

I suggest that the team should consist of the head of the organization, the IT and cybersecurity manager, the public relations specialist, and the data protection officer, with a provision for the necessary staff. If there is no one within the organization capable of managing data breaches, I advise seeking external services in advance.

What other aspects should the plan cover?

The plan must identify who in the organization should be informed of a data breach, and the methodology the organization will follow to assess the risk. The obligation to report a data breach to supervisory authorities only arises when the breach has established a risk to the rights and freedoms of natural persons, so guidelines for breach assessment are necessary.

The plan must also include how to notify the supervisory authorities and affected individuals, who will be responsible for documenting data breach management activities, and the steps to learn and prevent similar incidents. Risk assessment matrices and sequencing charts can be helpful in such breaches by streamlining decision-making.

What timeframes should an organisation take into account when faced with a data breach?

Regarding time constraints for a data breach, organizations should notify the State Data Protection Inspectorate (if the breach occurs in Lithuania) or another appropriate data protection authority (if it occurs elsewhere in the EU) within 72 hours of identifying the breach. This means that swift action is crucial. If the organization is unable to provide a full incident report within 72 hours, it can submit the report in stages, with the initial information provided within the first 72 hours and the remaining data submitted later. When notifying the Data Supervisory Authority, it is important to use the approved format.

Which other authorities should be informed in the event of a data breach?

In the case of a data breach, it is important to inform the relevant authorities. If the breach is due to a cyber-attack, the National Cyber Security Centre should also be notified. Additionally, if the incident is or may be associated with a criminal offence, the police should be informed.

What are the implications if an organization fails to take action following a data breach?

If an organization fails to report a data breach, it will be viewed as a violation of the GDPR regulations. This failure alone can result in GDPR liability, so it is important to comply with this obligation. It is possible that the supervisory authority may not criticize the organization after evaluating the incident. The organization will be seen as having taken sufficient steps to ensure data security and that the incident was not the organization’s fault. However, not reporting the incident will still be considered a GDPR violation and could result in penalties.

What happens if an organization reports a data breach late?

Although reporting the incident late may be seen as a mitigating factor, the GDPR still requires reporting within 72 hours of the incident. We strongly recommend that an initial report be filed within 72 hours of the incident.

What steps should be taken if sensitive information such as customer purchases, services, and payment amounts are stolen?

In such cases, all of the regulations mentioned above apply. It is highly likely that the affected data subjects will need to be informed, as this type of data breach may endanger their rights and freedoms. Data can be used or manipulated, and it is therefore important to inform the potentially impacted individuals in such cases.

There is no strict protocol for communicating with individuals who may have been impacted. It is important to disclose all relevant details of the incident in an understandable manner. It is also recommended to inform the affected individuals of actions they could take to protect themselves from potential negative consequences of the incident, such as changing their passwords if their account data was leaked, or changing their ID documents if their ID numbers were lost.

What should be done if a cyber attack disrupts company operations but no data is lost?

There are three types of data breaches:

– A breach of confidentiality – an incident where personal data is inadvertently or illegally disclosed or accessed by unauthorised persons (e.g. a copy of the data is sent to the wrong person, login details are made public, etc);

– availability breach – an incident in which personal data are accidentally or unlawfully lost or destroyed (e.g. a database is deleted and no backup is available, access to information systems is lost, etc.);

– integrity breach – an incident in which personal data are inadvertently or unlawfully altered (e.g. unauthorised access to an information system by a person who alters the information stored therein).

For example, a DDoS attack (‘Distributed Denial-of-Service’) will be considered as a breach of availability and, in certain cases, a breach of integrity. If the assessment of the incident indicates that it may result in a risk to the rights and freedoms of natural persons, which may be the case not only in the event of a data leak, but also, for example, in the event of loss of access to one’s account or inability to use a service, etc., at least the Supervisory Authority will have to be informed.

What should be done if commercial information has been stolen and personal data has not been affected?

If commercial information such as price lists, contracts, and negotiation notes have been stolen and personal data has not been affected, it is a breach of confidentiality rather than a breach of security of personal data. The company must follow its confidentiality management documents for any internal information that has been leaked. In the case of customer data, the confidentiality obligations in contracts with customers must be consulted.

What should a company do if it is unable to meet its obligations to customers due to a cyber attack?

Proper communication with customers will be crucial in such a situation. A cyber attack may be considered a force majeure, but this should be assessed on a case-by-case basis.

Is it necessary to inform the public about the loss of personal data?

There is no obligation to inform the general public about the loss of personal data. However, if the incident is serious, it is recommended to inform the public as silence could lead to discussions and escalation of the incident. The affected data subjects must be informed directly.

If the incident is serious, information about it is likely to leak, the public will discuss and escalate it, and silence will not be a good tactic. In such a case, it is important for the organization to communicate its own version of the events, otherwise there is a very high risk of losing the trust of existing or potential customers.