Cybersecurity blog header

How to report a security breach involving a personal data breach

- Ciber 4 All Team

In both the United States and Europe, it is mandatory to report a security breach in which the personal data of customers, employees or partners has been affected

A few weeks ago, Change Healthcare, one of the largest health insurance companies in the world, proceeded to communicate a security breach that had affected the personal, financial and health data of 100 million people.

This was the result of a cyber-attack that occurred in February and has ended up causing one of the largest data breaches in history worldwide. The information stolen was particularly sensitive because it included medical records and billing information.

In addition to warning about the risks of cyberattacks and focusing on the relationship between cybersecurity and data protection, this case highlights the importance of communicating a security breach affecting personal data in compliance with the regulations in force.

We have prepared this brief guide to help companies report a security breach they have suffered and avoid that; in addition to the damage caused by a security incident, they are exposed to claims from affected individuals and sanctions from the competent authorities.

1. How to report a security breach in the European Union and the United Kingdom

To find out how to report a security breach affecting personal data, you should refer to the General Data Protection Regulation (GDPR) if your company is located in the European Union.

What about companies operating in the United Kingdom? Following Brexit, the UK opted to transpose the GDPR into its domestic law so, in essence, the UK GDPR is analogous to the GDPR that is in force across the English Channel.

What does the GDPR say about the duty of data controllers to notify a security breach?

1.1. Obligations to notify a security breach to the competent authorities

The European regulation establishes in Article 33 that:

  • In the case of Spain the Spanish Data Protection Agency (AEPD), the competent authority must be notified of a personal data security breach as soon as possible and, at the latest, no later than 72 hours after becoming aware that it has occurred. If this deadline is not met, the reasons for not having done so must be justified.
  • The notification of a security breach must include at a minimum:
    • A description of the personal data breach: categories of data and number of individuals affected…
    • The name and contact information of the data protection officer.
    • A list of the potential consequences of the personal data breach suffered.
    • All measures implemented by the company to remedy the security breach and mitigate the effects it could trigger on the affected individuals.
  • If all this information cannot be reported when communicating a security breach, it should be provided gradually and without delay.
  • The data controller must document any breach of personal information, its consequences and the measures implemented. This documentation work is essential for the competent authority to be able to check whether or not the regulations were complied with. For example, when implementing effective cybersecurity measures.

1.2. Obligations to notify affected parties of a security breach

Regarding the duty to communicate a security breach to those affected by the personal data breach, the GDPR states that:

  • Data subjects must be informed as quickly as possible when there is “a high risk to the rights and freedoms of natural persons.”
  • This notification of a security breach to the affected individuals must be clear and explain in a simple but complete way the incident, its possible consequences and the measures taken.
  • Companies that have suffered a security breach will not be obliged to notify those affected when:
    • The measures they have implemented to protect the data render it unintelligible to malicious actors, such as encrypting the information.
    • A posteriori, measures have been implemented that eliminate the possibility of the risk to the rights and freedoms of individuals materializing.
    • Notifying those affected involves a disproportionate effort for companies. If so, a public communication should be made to inform individuals.
    • If a company has not notified the affected persons of a security breach, the competent authority in our country, the AEPD, may require it to do so.

1.3. Consequences of not complying with the duty to report a security breach

Companies that fail to report a security breach to the competent authority or to the affected persons expose themselves to the risk that the affected persons may file claims before the AEPD and the other competent national authorities. Ultimately, severe penalties may be imposed on them for failing to comply with the GDPR.

Thus, fines for failure to duly notify a personal data breach can amount to up to 10 million euros or 2% of the global turnover of the offending company, whichever is higher.

To facilitate compliance with the regulations in our country, the AEPD launched Breach Advisor, a tool that helps companies know whether or not to report a security breach affecting personal data.

2. How to report a security breach in the United States

While it is easy to explain how to report a security breach in Europe, this task is more difficult in the United States. Why? Each state has its own regulations. By way of example, let’s look at how to report a personal data breach in the two largest states in the country: California and Texas.

2.1. Obligations to notify the authorities of a security breach

In California, companies must notify the California Attorney General’s Office of a breach of personal data security when more than 500 residents are affected. While in Texas, the following must be notified:

  • To the Attorney General’s Office, when a security breach affects at least 250 residents in the state within 30 days of the discovery of a personal information breach,
  • To consumer reporting agencies when more than 10,000 individuals are affected by the security breach.

The notification must be made by electronic means, and the content must be similar to that required in the European Union and the United Kingdom.

2.2. Obligations to notify affected persons of a security breach

State regulations impose a duty to notify affected persons of a security breach when unauthorized persons have been able to access:

  • Unencrypted personal data.
  • Encrypted personal information and the encryption key to overcome this protection measure.

How should the notification be made? The content of the notification is practically identical to that required in the EU and UK: it must clearly explain what has happened, what information has been exposed and what measures have been put in place to prevent further damage.

As for the period for communicating a security breach to affected persons, California only stipulates that it must be as quickly as possible and without delay, while Texas sets a 60-day time limit.

Companies that fail to comply with their obligations to notify of a security breach are exposed to fines and legal proceedings that can result in financial losses in the millions of dollars. A few weeks ago, the Marriott hotel group agreed with the 50 U.S. states to pay $52 million for security breaches that resulted in the theft of personal data of more than 130 million customers and for reporting them with delays that, in some cases, exceeded a year.

2.3. Health data has a special status

Not all data protection regulations in the United States are at the state level. For example, a federal regulation, HIPAA, seeks to protect the medical data of patients and insured persons. This law requires reporting a security breach involving health data to:

  • The affected individuals, within 60 days of becoming aware of the security breach.
  • The most representative media if the security breach affects 500 residents in the same state. This communication shall consist of a press release and must be made no later than 60 days after the health information breach becomes known.
  • The Secretary of the U.S. Department of Health:
    • Within 60 days of discovering the breach, 50,0 or more individuals are affected.
    • Annually, if the individuals whose data has been exposed are fewer than 500.

3. The importance of detecting threats early and preventing security breaches affecting personal data

As is obvious, no company wants to find itself in the position of having to report a security breach that has affected the personal data of customers, employees, suppliers or business partners. Therefore, companies must have a security strategy in place to prevent security incidents leading to the theft or exfiltration of personal data.

Threat Hunting services play a critical role in this task:

  • Carry out an active and permanent search for threats, placing value on proactivity in cybersecurity.
  • Detect threats early to respond to them before personal information is breached. To do this, they analyze EDR/XDR telemetry and can identify malicious activity, even if no security alerts have been generated in the organization’s defensive technology.
  • Be at the forefront of research into new malicious techniques, tactics and procedures.
  • Provide valuable information to other cybersecurity services that are essential to prevent security breaches, such as Red Team or Incident Response.

In short, companies must implement cybersecurity services such as Threat Hunting to prevent security breaches involving theft, hijacking or leakage of personal information. In the event of such a breach, they must take into account their obligations regarding the notification of data breaches to public authorities and the people affected by them.