ARTICLE
7 December 2023

Security Breaches And Violations Of Personal Data Security

With the expansion of digitalisation, large and small businesses are increasingly vulnerable to security breaches and the threat of data attacks, as well as the misuse of personal data.
Norway Privacy

With the expansion of digitalisation, large and small businesses are increasingly vulnerable to security breaches and the threat of data attacks, as well as the misuse of personal data.

With strict privacy regulations and clear expectations for adequate data security from individuals and authorities, it is crucial that businesses have clear and effective procedures to maintain security and appropriately handle security breaches.

Security breaches sometimes involve violations of personal data security, defined in the privacy regulation as "a breach of security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed." In all cases, these events must involve circumstances leading to a risk of failure in the confidentiality, integrity, and/or availability of personal data.

This article will briefly explain how businesses can handle breaches of personal data security, including conducting necessary investigations to determine the extent of the security breach.

Security breaches - what now?

When a business discovers a security breach, they must act swiftly to implement security measures. When a breach alarm is triggered, it is often unclear where a potential breach comes from or whether it is an external or internal event that triggered the alarm. In such cases, the company should have a documented and tested crisis management process, including, among other things, a review of monitoring systems and other forensic analysis work.

During such investigations, it is often necessary to review large amounts of log data from firewalls, IT systems, etc. Implementing such log systems usually involves monitoring employees' use of electronic equipment within the company. Initially, such monitoring is prohibited, however the email regulations state that the company can monitor employees' use of electronic equipment to "detect or clarify security breaches in the network." Detecting and clarifying security breaches can be interpreted that log data can be inspected both during the acute security incident and in subsequent forensic work, which aims to further clarify the causes and consequences of a security breach.

When the company inspects log data, privacy must be preserved. The company must ensure that they only process the information necessary for that purpose. During the acute phase, data essential to uncovering the security breach and possibly stopping it can be analyzed. In later stages, the goal will be to clarify the security breach.

The amount of log data that needs analysis in individual cases will vary depending on the type of event, but the company must conclude all log analysis when the security breach is clarified and/or resolved. All investigations and assessments must be documented in an internal report in the company.

Breach of personal data security

In addition to identifying the cause of the security breach, the company must determine if this constitutes a breach of personal data security. A breach of personal data security must be reported to the Data Protection Authority as soon as possible and no later than 72 hours after the breach is discovered. If companies foresee that necessary investigations will take longer than 72 hours, they should send a temporary notification to the Data Protection Authority, outlining what is known so far about the breach.

However, reporting to the Data Protection Authority is not necessary if it can be demonstrated that the breach does not pose a risk to the rights and freedoms of individuals. The exception should be interpreted strictly, and the company should be almost certain in its assessment before deciding not to report a breach. If uncertain, it's advisable to inform the Data Protection Authority for the sake of prudence.

If it is probable that the breach of personal data security will involve a high risk to individuals' rights and freedoms, the company must also notify the affected individuals of the breach without undue delay. Examples of breaches that may pose a high risk are identity theft, financial loss, damage to reputation, or loss of confidentiality for sensitive personal data.

Potential consequences of privacy breaches

Security breaches can pose a significant threat to a company's reputation, and if not addressed within the legal framework, it can lead to fines, liability for damages, and other regulatory actions. Therefore, we recommend that companies invest sufficient time and resources in preventive measures and develop robust internal control systems to prevent such breaches. Additionally, training is essential, so employees know what to do – and not do – when the alarm goes off.

We held a webinar on employer obligations in IT security incidents in November 2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More