Using the digital environment for work related activities entails risks that are enhanced by the continuous digitisation of the society. Such risks include an increase in the number of cyberattacks that can lead to security breaches, including personal data breaches.
Therefore, it is important for companies to make sure that the risks mentioned above are contained and minimized.
As mentioned in our session on the new digital-centric employment environment at the GoTech World 2020 – Face the new reality event, more than half of Romanian companies intend to allow employees to work from home in the next 6 to 12 months, as a result of the Covid-19 pandemic.
In this context, it is obvious that the number of cyber security attacks targeting employees will increase. The main reason for this increase is the fact that most employees are not yet used to the new digital-centric employment environment and to the measures they should follow when working from home in order to keep company systems, information and personal data secure.
In this respect, companies need to understand and properly identify the relevant risks in order to implement the appropriate measures in order to mitigate the same. The responsibility lies not only with the company but also with its employees. At the same time, it is important to engage in a timely manner cybersecurity experts and lawyers specialized in data protection and cybersecurity in order to identify and understand the risks and implement adequate measures to mitigate the same.
2. The number of security breaches has increased during the COVID-19 pandemic
According to cybersecurity experts, the COVID-19 pandemic can be considered the largest-ever security threat to date, affecting all industries. The most targeted industries are the healthcare and financial ones. The factors that determined the increase in cybersecurity attacks vary from industry to industry and from country to country. Nevertheless, there are some commonalities across industries, namely:
(i) work is often carried out outside the secured infrastructure of the employer, from the employees’ homes; therefore, instead of one secured centralized IT environment, there are now a plethora of individual and less secure IT environments used to conduct work that will be speculated by cyber-attackers;
(ii) employees are using unsecured and/ or unencrypted devices (including unsecured wireless networks) to access work-related information;
(iii) insufficient use of virtual private network (“VPN”) solutions;
(iv) increase of use of video-conference applications to attend work-related meetings;
(v) employees’ lack of compliance with security policies due to lack of employer-supervision.
3. What should companies do in order to minimize the risks
Technology evolves and cyberattacks also become more sophisticated. However, as concerns security breaches, employee remain the weak link in ensuring the security of the systems, information and personal data of a company.
Therefore, first and foremost, the companies should ensure that their employees are properly trained and ready to work in this digital-centric work environment, taking into account that one of the most important factors that trigger a security breach remains the conduct of employees.
In order to mitigate the risks entailed by the employees that navigate through this new environment, companies must make sure that they have in place proper communication channels with their employees, so that any potential risk generated by a cyberattack is addressed in a timely and adequate manner.
While the technical measures (such as, for example, securing employee devices or installing VPN solutions in order for employees to access the employer computer system) help to drastically diminish the risks, the same are not enough.
The human component plays and will continue to play an important role in reducing the number of security breaches since the employees are more vulnerable to social engineering attack techniques (such as baiting1, scareware2, pretexting3, phishing4 and spear phishing5) as a result of working from home, with no employer guidance.
In order to mitigate the risks mentioned above, companies must also focus on the following measures, in addition to security measures:
(i) understanding the employees and the new environment in which they perform their work related activities;
(ii) developing a security and privacy focused corporate culture, with the employee at the core of such culture;
(iii) reviewing and adapting security and privacy policies so that the same are fit to meet their goals in the current status;
(iv) training employees so that they understand and comply with the security and privacy policies;
(v) keeping latest developments in the cybersecurity field under constant observation.
Implementing the measures mentioned above will entail an increase in the budget allocated for ensuring the security and integrity of the systems, information and personal data. However, it must be kept in mind that the total cost of a security breach can easily outweigh the budget needed to prevent the same. Such costs are not limited to the potential financial losses and fines that can be imposed by the competent authorities following security breaches and to the cost for identifying, mitigating and remedying the relevant vulnerabilities/ root causes of such breaches, but also to the loss of both the customers and the employees trust. The fact that the reputation of a company will be heavily affected represents an important factor that needs to be taken into account.
This is why the constant synchronization and cooperation with the employees, data protection officers (where the case), cybersecurity experts (whether employees or outsourced) and lawyers is essential, in order to prevent, identify and mitigate the security breaches, including personal data breaches.
1 Baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.
2 Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself. Scareware is also referred to as deception software, rogue scanner software and fraudware.
3 An attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task.
4 Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.
5 is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous.
Abstract: Data breach notifications were firstly introduced in 2009 by means of amendments to the E-Privacy Directive, where such data breaches occurred in connection with the provision of publicly available electronic communications service. Further on, GDPR extended data breach notification obligation to all industries. The initial scope was to have a single notification regime, as E-Privacy Directive was intended to be replaced by E-Privacy Regulation, when GDPR became applicable. Since E-Privacy Regulation has a long way until entering into force, an electronic communications provider has difficulties in navigating through two regulatory regimes when it comes to data breach notifications.
1. General remarks
The obligation to notify personal data breaches to the relevant national authority and, in some cases, to the individuals affected, has become mandatory for the first time under the amended Directive 2002/58/EC1221 (hereinafter referred to as the “E-Privacy Directive”). This followed the broader review of the regulatory framework for electronic communications in 2009, which had affected five different EU directives.
As the E-Privacy Directive applies only to providers of publicly available electronic communications services (the “Telecom Providers”) and since the risks associated with breaches of personal data held by other entities may be at least comparable, the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the “GDPR”) included the obligation to notify personal data breaches regardless of the sector.
The GDPR extended the breach notification requirement to all entities that process personal data, irrespective of the sectors where such entities operate. The initiative was more than welcomed, as it is in accordance with the “right to know” of the individuals affected and is a key element of transparency and accountability.
For the purpose of this article, it is particularly important to mention that in the proposed E-Privacy Regulation the obligation to notify data breaches was placed only under the GDPR2, thus the Telecom Providers would cease to be subject of the obligation to notify privacy incidents under two different legal frameworks.
Although the intentions of the EU legislator were to offer more legal certainty, the fact that the entry into force of the E-Privacy Regulation continues to be delayed creates a dire need to some clarifications regarding the overlap between the obligation arising from the E-Privacy Directive and the one arising from GDPR.
2. Interplay between GDPR and E-Privacy Directive
Privacy and data protection are core values of the European Union3, thus the EU legislator needs to make continuous efforts in order to set down specific and efficient rules to protect personal data and to ensure the confidentiality and security of electronic communications, backed by strong enforcement.
The data protection legal framework is two-fold: GDPR aims to protect the data subjects’ rights in connection with the processing of personal data, while E-Privacy Directive concerns the protection and confidentiality of personal data in electronic communications.
However, this is not what the EU legislator envisioned when it took the decision to reform the data protection package, as the prediction was to also repeal E-Privacy Directive and to create an E-Privacy Regulation, in order to ensure consistency with the GDPR and legal certainty for users and businesses alike by avoiding divergent interpretation in the Member States4. As the latter revision has not been completed in due time and the Council of the European Union’s viewpoint is still pending, the GDPR came into force, leaving several loopholes to be filled.
GDPR became applicable in May 2018, while the E-Privacy Directive revision is still pending, so the Telecom providers continue to be subject to a double notification regime. Thus, several queries arise: when a Telecom Provider is tackling a personal data breach under which legislative act’s criteria will it assess the same, what term should be observed for submitting the same, which supervisory authority should receive the notification?
Building on the experience on breach notification that has been gained by those national data protection authorities already implementing personal data breach notification requirements5, GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”6. Meanwhile, in E-Privacy, due to the fact that the obligation to notify personal data breaches was intended to be industry specific, the definition added that such personal data breaches need to be “in connection with the provision of a publicly available electronic communications service in the Community”.
Keeping in mind that these definitions overlap, it may be said that when a telecom provider discovers a personal data breach and it can be ascertained that the same is in connection with the electronic communications provision, the obligation to notify arises only under the E-Privacy Directive, while when facing any other personal data breach, the obligation arises only under the GDPR.
However, as long as the breach is related to personal data, another interpretation could be that even if the breach is in connection with the electronic communications provision, the obligation to notify arises under both legislative acts. This interpretation seems to be supported also by the European Data Protection Board (the “EDPB”).
Last year, the EDPB has issued guidelines on the interplay between the E-Privacy Directive and GDPR. The paper provides the interpretation of Article 95 from GDPR, stating that the electronic communications providers “who have notified a personal data breach in compliance with the applicable national E-Privacy legislation are not required to separately notify data protection authorities of the same breach pursuant to article 33 of the GDPR”.
It can be understood from the above text that the EDPB approach is that a personal data breach should be notified under both legislative acts, regardless of the fact that the E-Privacy Directive particularises the personal data breaches to those who are in connection with the electronic communication services. In our view, the obligation should arise only under E-Privacy Directive, as a lex specialis. But EDPB decided to give a solution to a non-issue, complicating the situation of Telecom Providers, while leaving other hypotheses out of the regulatory framework. The Telecom Providers are thus lacking clarity regarding the data breach notifications.
In practice, the main issue the Telecom Providers are facing concerns the criteria applicable for notifying a data breach. The delay in adopting a new E-Privacy Regulation that will ensure a single regime for the notification of personal data breaches, under GDPR, puts a lot of pressure on Telecom Providers in deciding what regime (due to the interpretation provided by EDPB) and, most importantly, what criteria to apply when deciding to notify a data breach.
When creating the data breach regime under E-Privacy Directive, the EU legislator defined the core elements of the notification system and left the definition of details on circumstances (including criteria to assess the likelihood of adverse effects), procedures and formats to be set by the Commission by ways of implementing measures, in order to ensure consistency across sectors7.
This approach has been identified as being the best option since the use of implementing measures should have allowed more detailed, precise and flexible rules, rules that could be integrated in the Directive afterwards.
Unfortunately, the implementing measures have never been adopted. Both the entities subject to notification and the supervisory authorities, have been facing the need to assess if an incident is notifiable or not based on too vague defined criteria – i.e. the provider needs to inform the individuals about the breach “when the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual” (our emphasis).
As opposed to the data breach notification regime under E-Privacy Directive, GDPR aimed to create a risk-based approach when assessing whether or not a breach should be notified, giving consideration to the specific circumstances of the breach, including the severity of the potential impact and the likelihood of this occurring. This approach was built on the fact that, based on the experience with the application of E-Privacy Directive, the EU legislator identified a notification fatigue phenomenon8: entities would notify the supervisory authorities any incident, regardless of its gravity, in order to avoid fines for not notifying when they should have.
Indeed, under Article 3 section 2 of the Regulation no. 611/ 2013, the criteria to be considered by Telecom Providers when assessing whether a personal data breach is “likely to result in a risk” are:
(i) the nature and content of the personal data concerned, in particular where the data concerns financial information, special categories of data referred to in Article 8(1) of Directive 95/46/EC, as well as location data, internet log files, web browsing histories, e-mail data, and itemised call lists;
(ii) the likely consequences of the personal data breach for the subscriber or individual concerned, in particular where the breach could result in identity theft or fraud, physical harm, psychological distress, humiliation or damage to reputation;
(iii) the circumstances of the personal data breach, in particular where the data has been stolen or when the provider knows that the data are in the possession of an unauthorised third party.
Also, according to the guidelines issued by the Article 29 Working Party, the following criteria should be taken into account when assessing the risk that may be entailed by a breach:
(i) the type of breach;
(ii) the nature, sensitivity, and volume of personal data;
(iii) ease of identification of individuals;
(iv) severity of consequences for individuals;
(v) special characteristics of the individual;
(vi) the number of affected individuals.
Although such criteria might be considered enough to help the Telecom Providers in correctly identifying and notifying personal data breaches in connection with the provision of a publicly available electronic communications service, as mentioned above, in practice, a notification fatigue phenomenon appeared mainly because these criteria are too general and are not entirely useful to help when a decision has to be made if a certain data breach should be notified or not. Therefore, it is still challenging to evaluate when the breach “may result in a high risk to the rights and freedoms of the natural persons” (our emphasis), as the variety of breach that may occur is very high or when the notification is not needed as “the high risk to the rights and freedoms of data subjects is no longer likely to materialise” (our emphasis).
As Telecom Providers need to rely on the Regulation no. 611/2013 criteria, because the E-Privacy Directive lacks any assessment criteria and the implementing measures proposals were never adopted, a possible approach is for Telecom Providers confronted with an incident to apply mutatis mutandis the criteria provisioned by the GDPR as well as by any future implementing measures.
By adopting this solution, Telecom Providers will benefit from all the lessons learnt in this period when the data breach notification under both E-Privacy Directive and GDPR was applicable. This approach will also help diminish the notification fatigue phenomenon that now threatens to encompass both types of data breach notification, since as per the statistics of a recent report9 over 160,000 data breach notifications have been reported across the 28 European Union Member States plus Norway, Iceland and Liechtenstein since the General Data Protection Regulation came into force on 25 May 2018.
3. Steps to be considered
As long as both GDPR and E-Privacy Directive apply, a legislative intervention to regulate this transitory situation is needed. The over-notification phenomenon requires the legislator attention and responsibility.
As mentioned above, a solution may be providing for a unified set of criteria that Telecom Providers must consider when assessing the risks of a breach and, as the E-Privacy Regulation already stipulates, eliminating the obligation to notify the personal data breaches under the E-Privacy Directive.
Moreover, it is important that the individual’s right to know does not become an unnecessary burden too and that only those impactful events that might trigger an action on his or her side be communicated.
The interests at stake must be balanced and analysed by the EU Legislator in order to provide the transparency and clarity required by the affected individuals, the criteria needed by companies in order to prioritise their resources and to ease the activity of the supervisory authorities.
1 Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications (Electronic Communications Data Protection Directive), last amended by the Directive 2009/136/EC.
2 Justification: The Commission Regulation (EU) 611/2013 setting out specific rules on data breach notifications should be repealed as its legal basis, Directive 2002/58/EC, will be repealed, and the GDPR will apply for breach notifications from Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).
3 Article 7 of the Charter of Fundamental Rights of The European Union, Article 8 of the European Chart of Human Rights.
4 Proposal for a Regulation of The European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).
5 More on this topic available in the Working Document 01/2011 on the current EU personal data breach framework and recommendations for future policy developments issued by Article 29 Working Party.
6 Article 2 from E-Privacy Directive and Article 4 point 12 from GDPR.
7 Article 4 section 5 from E-Privacy Directive.
8 Commission Regulation (Eu) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications
9 It was estimated that currently 3,000 data breach notifications take place in the EU for the telecoms sector every year, calculated on the basis of 319 data protection breaches reported to the UK DPA in 2008/2009 and extrapolated for the EU28. The average cost for businesses for dealing with these notifications was assumed to be 400 EUR, in the Commission Staff Working Paper on Impact Assessment on the General Data Protection Regulation proposal, 25.01.2012, SEC 2012(72), Annex 9 and p. 101.
10 GDPR Data Breach Survey 2020, report issued by DLAPiper, available online at: https://www.dlapiper.com/en/us/insights/publications/2020/01/gdpr-data-breach-survey-2020/ (last accessed on February 3, 2020)
Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”), controllers must only use processors that provide sufficient guarantees regarding their capability to implement appropriate technical and organizational measures to ensure that all processing activities are performed and protected in line with the legal requirements.
In this respect, before engaging the services of a processor, the controller must perform a proper assessment of the processor’s capabilities to process the entrusted personal data in a secure and confidential manner, in accordance with the provisions of the General Data Protection Regulation.
The duty of care that needs to be observed by the processor must be reflected into a contract concluded with the controller. Such contract must stipulate that the processor will take all technical and organizational measures to ensure a level of security in accordance with the risk, including inter alia as appropriate:
(i) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(ii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(iii) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
2. Times are changing, should the processors be reassessed?
Due to the new severe acute respiratory syndrome coronavirus 2, known as SARS-CoV-2, emergency measures were taken throughout the world in order to contain the spread of and fight against the effects of SARS-CoV-2. One of those measures was for the companies, where possible, to send their employees to work from home.
Does this new scenario change the controller’s initial assessment on the processor’s ability to ensure the technical and organizational measures in relation with the processing of personal data?
The answer is yes, if the controller considered only the capabilities offered by the processor within its premises. It is possible that most controllers did not took into account the processor’s readiness to ensure the secure processing of personal data via remote access by employees working from home. From a security perspective, any remote access to data might present a risk that needs to be properly addressed.
The EU Agency for Cybersecurity (“ENISA”), the National Cyber Security and Incident Response Teams (“CERTs”) and the national Data Protection Authorities (“DPAs”) are all advising on the need to maintain an adequate level of cybersecurity when working from home and recommend companies to take measures such as:
(i) to ensure that the corporate VPN solution scales and is able to sustain a large number of simultaneous connections;
(ii) to provide secure video conferencing for corporate clients;
(iii) all the corporate business applications must be accessible only via encrypted communication channels;
(iv) access to application portals should be safeguarded using multifactor authentication mechanisms.
These recommendations were issued not just because there is an increase in the number of people that are working and having access to systems remotely, but also because in this state of emergency the number of cyber-attacks, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, man-in-the-middle (MitM) attack, phishing and spear phishing attacks, drive-by attack, password attack, intensified. Both situations can result in an increase number of security incidents, from which a lot of such might prove be data breaches.
In this context, it is evident that, from a security perspective, we operate in a scenario, that is different than the one took into account by the controller when selecting the processor. The initial assessment of the risks presented by the data processing, such as accidental and unlawful destruction, loss, unauthorized disclosure of data, translated into security measures meant to mitigate the respective risks. But now the scenario is different, and the risks presented by the data processing in the new environment (working from home) might require different security measures in order to mitigate the such.
In this respect, the controllers should perform at least an assessment on the security measures in place and if such measures are enough to ensure that their processors are still fit to handle the entrusted personal data.
We live in a new era, where the risks are multiplying and endanger the security and integrity of data. It is important to pay attention to each and every change that might have an impact on the relationship the companies developed with their processors. This might be just one of the problems that might occur. Data protection should not be treated lightly in these times, because the consequences of the events occurring in relation with personal data can affect the companies on a long term.