The new European Data Protection Regulation 679/2016 introduces the concept of Data Breach “as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmission, stored or otherwise processed” (Article 4(12)). The Working Party 29 identifies data breach in 3 categories: the “Confidentiality Breach”(the data is no longer confidential as a result of accidental or abusive access in the course of which someone else has knowledge), the ” Integrity Breach”(someone has changed the data in an accidental or unauthorized manner), the “Availability Breach” (the data is no longer available as a result of accidental or unauthorized loss or destruction).

Data breaches are not necessarily due to hacker attacks. For example, a data breach could occur if an unencrypted device is lost with the personal data stored on it: in this case there is a loss of confidentiality and availability especially if the backups are not available or are no longer available . Another possible data breach situation occurs when a device is infected by a ransomware, which is a malware that encrypts files that require payment of a ransom for data recovery: as before, this causes loss of integrity and availability of some data. In addition, a common case of possible data breaches occurs when a personal data is sent by mistake to an unauthorized third party (via e-mail for example) or when the theft of a device occurs, unless appropriate security measures have been taken (such as disk encryption).

Guidelines of the Working Party 29 can be found here.

CRC CS-Aware Team