Data Breaches: what is it and what are our obligations?

In the last four years, we have been bombarded with alerts about data breaches. But what is a data breach and what are our data protection obligations once a breach occurs?

According to article 4(12) of the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

This broad definition of a data breach means that it encompasses all three pillars of security (Confidentiality – Integrity – Availability). However, it is not always easy to identify if a security incident is a personal data breach. This is why categorizing the incident can help to identify whether it is a breach or not.

Let’s talk about the principle of CIA:
There are 3 different types of breaches that we must be aware of, which can be referred to as the CIA principle. There are two well-known breaches that are easy to identify; Confidentiality breach and Integrity Breach. A Confidentiality Breach is where the data is accessed or disclosed to an unauthorized person whilst an Integrity Breach is where the data is altered by an unauthorised person so that it is no longer accurate or complete.
However, there is a third type of breach that is harder to identify: an Availability Breach. This type of breach is where the data is no longer accessible or usable on demand by an authorized entity either temporally or definitively.

Over the past few years, the digital transformation in the healthcare sectors has been faster than ever. Paper-based systems have been replaced by electronic health records, with more and more clinical trials collecting data from e-systems and/or recording it in electronic database. Medical web-based smart devices have been developed to improve diagnosis and treatment. All of these developments have the clear aim to help save patients’ lives or make them far more comfortable. However, this expansion of e-connected systems also opens doors to attackers. Personal data breaches are widely observed in the healthcare sector because health data is more valuable on the black market than any other data including financial data.

This is one example among thousands. Data breaches have been increasing over the recent years. In fact, in its last survey regarding GDPR fines and data breaches, DLA Piper published that there have been over 130,000 personal data breaches notified to regulators. For perspective, that is an average of 356 breach notifications per day, an 8% increase on last year’s daily average of 331 notifications per day.