(from 2015) Rethinking Personal Data Breaches (EU)

So as the world stands still – and waits for GDPR to pass the European Parliament vote in a few days, and just before we are all hit by a wave of audit/certification/consulting firms selling their services – here’s a quick look at Personal Data Breaches.

According to Opinion 03/2014 of the Article 29 Working Party – which back in the days was just an opinion, but now gets quite a bit more muscle: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp213_en.pdf

Most people think of a data breach as an event in which data is accessed by an authorized person, resold on the darknet, made public by some creant, etc..

The Article 29 Working Party took a much more holistic view – and includes loss of integrity and timely accessibility along with the loss of confidentiality.

Opinion 03/2014 gives examples of data breaches, and walks the reader through accessing the impact.  While the GDPR will provide us with more details and requirements (e.g. to notify within 72 hours), the Opinion does a good job illustrating the underlying thinking.

So quoting from the Opinion:

Case 1: Four laptop computers were stolen from a “Children’s Healthcare Institute”; they stored sensitive health and social welfare data as well as other personal data concerning 2050 children.

  • Potential consequences and adverse effects of the confidentiality breach:
    The first impact is a breach of medical secrecy: the database contains intimate medical information on the children which are available to unauthorized people. [..]
  • Potential consequences and adverse effects of the availability breach: 
    It may disturb the continuity of children’s treatment leading to aggravation of the disease or a relapse. [..]
  • Potential consequences and adverse effects of the integrity breach:
    The lost data may affect the integrity of the medical records and disrupt the treatments of the children. For example, if only an old back-up of the medical records exists, all changes to the data that were made on the stolen computers will be lost, leading to corruption of the integrity of the data. The use of medical records that are not up-to-date may disrupt the continuity of children’s treatments leading to aggravation of the disease or a relapse. [..]

So the overall paradigm is a bit different than elsewhere. – It will be interesting to see how many changes were made last minute to the GDPR, but assessments like the one above should be common place in 2018 and beyond.