Cyber security continues to be an issue that gathers mainstream attention, and for good reason. Both the costs of, and length of time to recover from, a cyber incident are increasing. According to IBM's 2024 'Cost of a Data Breach' report, the average cost of a data breach in 2024 has risen to $4.88 million.2 For some incidents (particularly those involving stolen or compromised credentials), the recovery period was recorded as being as long as 292 days.
The increasing prevalence of cyber-attacks, and the disruption they can cause, has led to governments globally introducing new legislation and/or supplementing existing legislation to protect the most critical infrastructure, whilst also encouraging information sharing to enhance overall awareness of cyber risks. In several jurisdictions, cyber security requirements mandated by law are now being imposed on new industry sectors not traditionally seen as critical, a reflection of the changing way the world operates.
For some compliance professionals, reporting cyber security incidents to authorities may not be a new concept. However, for many organisations the focus on reporting cyber security incidents, as opposed to the perhaps now established process of reporting personal data breaches, is something that may not be familiar.
This article seeks to map out the changing reporting landscape in both the UK and EU, providing an overview of what compliance professionals need to consider when updating their processes and procedures around cyber incident reporting.
1. Reporting personal data breaches
1.1. Reporting obligations under the EU GDPR and UK GDPR
Since it came into effect in 2018, the EU's General Data Protection Regulation (the "EU GDPR")3 has imposed a range of obligations on organisations who are involved in processing personal data. Following the UK's departure from the EU in January 2020, the UK government transposed the EU GDPR into local law (the "UK GDPR").4 As of the date of publication of this article, for the most part the UK GDPR mirrors the EU GDPR.
The EU GDPR and UK GDPR (collectively the "GDPR") apply to:
1. Organisations established in the EU or UK (respectively for each the EU GDPR and UK GDPR), that are processing personal data of any individual (referred to as a data subject).
2. Organisations not established in the EU or UK, that are processing personal data of data subjects and are either:
a. offering goods or services to such data subjects in the EU or UK; or
b. monitoring the behaviour of such data subjects so far as the behaviour being monitored takes place within the EU or UK.
For organisations to whom the GDPR applies, the GDPR introduced an obligation for organisations to report personal data breaches to regulators, individuals and/or data controllers (as appropriate) (Articles 33 and 34 GDPR). Personal data breaches are often, but not always, associated with a cyber security incident.
To whom an organisation should report a personal data breach under the GDPR will depend on the following factors, each of which are expanded on below:
1. whether a personal data breach has occurred;
2. whether the organisation acts as a data controller or data processor in relation to the personal data affected; and
3. whether the personal data breach is notifiable i.e., whether it meets the statutory thresholds.
(a)What is a personal data breach?
Article 4(12) GDPR defines a personal data breach as: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". The GDPR does not distinguish between causes of a personal data breach i.e., if a personal data breach has occurred and it meets the thresholds for reporting set out under Articles 33 and 34 GDPR, a regulator and, where applicable, individuals should be notified. As such, notifications under the GDPR could be submitted for a broad range of issues including
– an email attachment being sent to the incorrect recipient;
– a laptop being left in a public place;
– inadvertently making documents and/or folders accessible to individuals who should not have permission to see the relevant data;
– an unauthorised third-party gaining access to an organisation's systems (which may include deploying ransomware);
– deleting personal data that still needs to be retained meaning it is no longer available; and
– altering personal data meaning it is no longer accurate.
(b) What are the responsibilities of a data processor vs data controller?
By way of reminder, the obligations imposed on an organisation under the GDPR will depend on whether the organisation is considered a data controller or data processor. The GDPR defines a data controller and data processor as follows: Controller "means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4(7) GDPR).
Processor "means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller" (Article 4(8) GDPR).
A data processor is only required to notify a data controller of a personal data breach (i.e., a data processor is not responsible for notifying a personal data breach to a competent regulator and where required affected individuals). As such, the first step any data processor should take is to determine whether an incident has resulted in a personal data breach, as defined above. A data processor must subsequently determine whether the compromised personal data was processed on behalf of the data controller. If so, the data processor must notify the data controller of the personal data breach "without undue delay" (Article 33(2) GDPR). In addition, a data processor must "assist the controller in ensuring compliance" with its obligations under Articles 33 and 34 (amongst others) i.e., ensuring that a data controller has the information needed to notify regulators and as required, affected individuals, within the applicable deadlines (Article 28(3)(f) GDPR). Data processors should always review their contracts with their data controllers (a data processing agreement or otherwise) for provisions relating to personal data breach reporting. In particular, it is common to see a contractual timeframe stipulated for reporting an incident to a data controller, rather than the "without undue delay" timeframe specified by the GDPR.
A data controller is responsible for making notifications to a regulator and, where required, affected individuals as appropriate. This includes determining whether a personal data breach has occurred and is notifiable to the regulator and individuals.
(c) Is a personal data breach notifiable to a regulator and individuals?
When determining to whom a personal data breach should be reported, organisations must assess whether the personal data breach poses a risk to the rights and freedoms of data subjects. Whilst the reporting threshold for notifications to both regulators and affected individuals uses the same metric of rights and freedoms of data subjects, the thresholds are slightly different, as set out in detail below.3
A data controller must notify a regulator "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons" (Article 33(1) GDPR) (emphasis added). As such, the default position is that a personal data breach should be reported to a regulator unless there is no risk to the individual. The GDPR states that a cyber security incident which compromises personal data and that could "result in physical, material or non-material damage" to individuals would constitute a personal data breach (Recital 85 GDPR). This includes for example, loss of control of personal data, limitation of an individual's rights in relation to their personal data, discrimination, identity theft of fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality or personal data protected by professional secrecy or any other economic or social disadvantage to the individual.
Individual notifications must be submitted if a personal data breach is likely to "result in a high risk to the rights and freedoms of natural persons" (Article 34(1) GDPR) (emphasis added). As such, the threshold for reporting a personal data breach to the regulator is lower than that of the threshold of reporting a personal data breach to an individual.
If the relevant thresholds as set out above are met, a data controller must notify a regulator within 72 hours of becoming aware of the personal data breach (Article 33(1) GDPR), and individuals "without undue delay"(Article 34(1) GDPR). In practice, individual notifications may take some time, particularly after a cyber incident where data may need to be reviewed to determine affected individuals.
To view the full article clickhere
Originally published by DEN HOLLANDER
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
