How to behave in case of a data breach

As defined in Article 4, paragraph 12 of EU Regulation 679/2016, Data Breach is defined as “ any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” .

A Data Breach therefore involves a compromise of the integrity How to behave  of personal data or their confidentiality.

When does a Data Breach occur?

The violations that can occur with a Data Breach are different, in How to behave  order to distinguish them it is appropriate to identify three macro-areas.

Confidentiality Breach . This is the most common type, which occurs How to behave  with unauthorized, accidental or abusive access. Among the most common errors, for example, is sending the pay slip to a person other than the reference one: it was an accidental action, but it is still considered a violation.

Availability Breach . It occurs in the event of loss or destruction of data. Although it may be a singular violation, a Data Breach occurs when there is the loss of the ability to access a service or the deletion of data on a pendrive containing important documents, not available in other ways.

Integrity Breach . in the event of unauthorized or accidental modification of data. In this case, the Data Breach takes shape when a third party, without authorization, comes into contact with personal data and makes a modification.

Two data breaches in 2023

Even in 2023, data breaches continued to pose a significant threat to businesses of all sizes.

In 2023, Uber suffered a massive breach that compromised the data of 57 million users and drivers. The attack was the work of a hacker who exploited a overseas chinese data vulnerability in Uber’s multi-factor authentication (MFA) software.

The attack had a significant impact on Uber’s reputation and led to an investigation by the Federal Trade Commission (FTC). Uber has taken several steps to improve its cybersecurity, but the attack highlighted the need for increased attention to MFA security.

In November 2023, LastPass, a password manager, suffered a data breach that compromised the data of 33 million users. The attack was the work of a hacker who gained access to LastPass’ systems through a phishing attack.

The attack had a significant impact on

LastPass users, who were forced to change all of their passwords. LastPass has taken several steps to improve its cybersecurity, but the attack highlighted the need for increased attention to password manager security.

What to do in case of a Data Breach?
When a Data Breach occurs, it is appropriate to carry out an intervention process that focuses mainly on the evaluation and subsequent communications to the reference body.

When a data breach occurs, the first thing to consider is whether or not to notify the Data Breach to the Guarantor Authority . The notification must be reported by the data controller, so that the best resolution path can be forwarded for the parties involved.

In the case in which the controller has acknowledged

That there are concrete risks to the rights and freedoms of natural persons forward the notification to the. Guarantor no later than 72 hours from the moment in which he became aware of it. The Authority will then define the best methods of intervention and the conditions to be applied to restore the status quo.

Furthermore, if the violation involves a significant risk, the owner must communicate such. The communication can take place according to the google analytics 4: migrating from universal analytics [2024] methods. That the owner prefers; for example, if the number of parties involved is limited, it is possible to carry out the communication directly.

After 72 hours and in the event that the owner does not communicate the violation, the GPDR could forward. Pecuniary sanctions that can reach up to 10 million euros companies, up to 2% of the total annual turnover.

Preventive protection

Often companies realize how important it is to. How to behave protect snbd host personal data only when data breaches occur.

In order to apply a preventive attitude, it is very important that there is adequate training in security matters. Although Data Breaches may seem inevitable, in reality they occur in most cases due to accidental human errors.

Employee training is essential to increase the level of. IT security and the management of incidents in a business context. Similarly, changing passwords periodically, using two-factor protection systems, identifying potential malware and. Phishing emails are actions that can be very useful to minimize potential breaches.