Protecture often get asked to advise whether a breach should be reported.
The Easyjet incident highlights that the risk to individuals’ rights and freedoms and the potential significance of even basic data must always be at the forefront of your assessment.
When to report…and to whom
Before the GDPR, you could be forgiven for thinking the NHS, Education and Local Government were the only sectors suffering breaches. They accounted for 56% of self-reported breaches…whilst “General business” had only 9%. (1)
In reality, breaches happen across all sectors, but organisations did not often voluntarily choose to report.
The GDPR changed this. Now all organisations have to establish the likelihood and severity of the resulting risk to people’s rights and freedoms.
• If it’s likely that there will be a risk then you must report to the ICO
• If it’s likely to result in a high risk, you must inform those concerned directly.
This means that the threshold for informing individuals is higher than for notifying the ICO. And whether you self-reported is one of the factor the ICO considers when assessing whether to impose an fine (and deciding on the amount of the fine). (2)
So getting the decision right is important.
Who did Easyjet tell…and when?
The press release from Easyjet makes fascinating reading.
From the start, it makes clear that it was “following discussions with the ICO” that Easyjet were making this public announcement.
They had previously told only the 2,208 customers whose credit card details were accessed.
They had not, until the press release, told the 9 million customers who had their email address and travel details compromised.
Why would this be the case?
A loss of credit card details opens customers up to outright fraud. This seems to clearly meet the criteria for informing the individuals.
But email address and travel details? Perhaps Easyjet did not consider the potential impact on individuals to be as significant, and therefore below the threshold for telling the customers.
Why might they have changed their mind?
The line from the CEO:
“owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed…”
Precise, personal travel details could be used to make potentially compelling phishing emails.
And consider: if just 1% of those affected responded to a scam email, and only 10% of them lost out financially, then that’s another 9,000 customers affected.
And at this time of increased online activity, with cancelled or rearranged flights, those risks are greater than normal.
And as the ICO’s guidance notes, you should consider if informing people promptly means they can “mitigate an immediate risk of damage to them…[and] help them take steps to protect themselves from the effects of a breach.”
Assessing risk to individuals’ rights and freedoms
It is critical to focus on the potential (as well as any actual) negative consequences for individuals. The GDPR at Recital 85 outlines some of the key considerations.
At Protecture, we have developed a tool for assessing the consequences. This considers
• People: the number and nature of affected individuals.
• Records: Volume of data affected.
• Severity of consequences: for example, the data sensitivity and the ease with which the person can be identified.
Protecture’s 5 key breach management tips
Staff need to know what a breach looks like: it is not just losing a laptop or notepad or misdirect an email. It is anything that leads to the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”
- Clear procedure
Staff need to know who to report a breach: is it to their line manager, a named point of contact or an email address? Do they deal with IT breaches different to other breaches?
- Record keeping
The ICO notes you will need to be able to justify any decision not to not report a breach, so record keeping is important. It also helps ensure consistent decision making
- Decision making
The decision whether to report to the ICO, and in particular to the individuals affected, can have significant reputational and financial consequences. You should have a clear policy on who will make that decision (which person, committee or body).
If you use a supplier (Data Processor) they must, to comply with their own GDPR obligations, inform toy of any breach they suffer without undue delay. This requirement should be outlined in the contract between toy and toy supplier.3
National Cyber Security Centre
“How to spot the most obvious signs of scam emails, and what to do if you’ve already clicked”
1 ICO Annual Report 2017/18, p35
2 GDPR Article 83(2)(h).
3 GDPR Article 33(2).