5 practical recommendations for managing data breaches

Security holes in customer databases, targeted hacker attacks on IT systems, mailing lists inadvertently misaddressed, or bank statements sent to the wrong recipient - if the reports in daily newspapers are taken as an indicator, it would appear that for some time hardly a day goes by without some sort of data breach taking place.

Such data breaches can easily lead to the loss of a significant amount of personal or other highly sensitive data. For the companies concerned, this not only means a considerable risk of exposure to liability but, most of all, a risk of irreparable damage to image or a disclosure of important business secrets which is detrimental to business. The most important question here is therefore how the companies concerned can best deal with such data breaches. The five recommendations below are intended to provide an overview of the essential steps to be taken so that data breaches can be dealt with in an effective and constructive manner:

1. Take immediate action

In a first step, immediate action should be taken as soon as the data breach has been identified with the aim of avoiding and mitigating damage as best as possible. Such immediate action should be documented with a view to potential exposure to liability. To prevent any further loss of data, identified security holes should be promptly closed and the required security actions should be taken. In a worst case scenario, this may also mean temporarily shutting down the IT systems concerned, fully or partially, or disconnecting them from the Internet. In case of lost mobile IT systems such as mobile phones or notebooks, remote deletion may be a suitable option, provided that the devices are equipped with appropriate software. Damage mitigation is more difficult when it comes to lost data which has already become known to an unauthorized third party or where it cannot be ruled out that an unauthorized third party has obtained knowledge of the data. In this case, steps must be taken which go beyond those described above in order to best prevent any abuse of such data. If, for example, a data breach involves the access data of customers or staff, it should be ensured that the access concerned is blocked or at least restricted until the authorized users have identified themselves again, for example, by answering security questions.

2. Identify information and secure evidence

The implementation of immediate action should be accompanied by the measures to find all relevant information about the data breach. Any information gathered not only serves as a basis for improving IT security with lasting effect in the future, but most of all contributes to the necessary legal assessment of the data breach and the associated analysis of liability risks. The aim of these measures is a detailed analysis of the data breach, in particular regarding how such data has been leaked and what data has become, or may yet become, unlawfully known to a third party. At the same time, measures must be taken to secure evidence. Depending on the kind and extent of the data breach, specialized service providers should be called in, if necessary, to carry out a forensic examination of IT systems.

3. Legal assessment of the data breach

On the basis of the information identified, both a legal assessment and an analysis of liability risks are required with regard to the data breach, in particular with a view to compliance with statutory information requirements and a potential liability under civil law towards the parties concerned. First, the focus of the legal assessment is on the statutory information requirements to be met in case of certain data breaches. Section 42a of the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG) und Section 15a of the German Telemedia Act (Telemediengesetz - TMG) require in certain circumstances that the competent supervisory authority and the persons affected by the data breach are informed without undue delay. The statutory information requirements apply if certain categories of data are unlawfully transmitted or have otherwise unlawfully become known to a third party with a risk of severe impairment of the rights or interests of those concerned which require protection. This does not necessarily require that unlawful knowledge of an unauthorized third party has actually been established. The information requirement in fact already arises when unauthorized knowledge of a third party is highly likely. In a legal assessment, the data controller has to make an objective forecast as to whether there is a risk of another severe impairment of rights or interests of the person concerned beyond the infringement of the right to informational self-determination which the data loss entails (e.g. identity theft or abuse of bank account or credit card information). The more serious the potential consequences for the person concerned, the lower the requirements for assuming a likely occurrence of an impairment.

4. Inform the authorities and the parties concerned – data breach notifications

If, according to the outcome of the legal assessment, statutory information requirements apply (Sec. 42a of the German Federal Data Protection Act (BDSG), Sec. 15a of the German Telemedia Act (TMG)), the competent supervisory authorities must be informed without undue delay. The information of the person concerned which is likewise required can be postponed until appropriate action for securing data has been taken. However, it can also be legally required or otherwise advisable that the persons concerned are also informed in cases in which no express statutory information requirements apply. It may be advisable for a company alone for image reasons, if nothing else, to take a proactive approach to data breaches and to inform the customers concerned about the issue and its consequences. Experience has shown that a loss of data can become the focus of media attention faster than expected. If a company concerned holds back information for too long, there is a risk that its customers’ trust may suffer significant damage. Besides, informing the persons concerned can also be required for legal reasons in cases in which there is no information requirement expressly defined by law. For instance, information requirements may result from a general contractual duty to protect. In many cases, however, information may also be necessary to limit any liability towards the persons concerned.

5. Post mortem review and data loss prevention strategy

The data breach should also be followed up by carrying out an extensive post mortem analysis, with the findings resulting from the data breach, including both negative and positive experience gathered in dealing with the data breach, being used to improve data security in the company with lasting effect and to develop a data loss prevention strategy. When a data breach occurs this, at the latest, should prompt the data controller to carry out an overall review of data security at the company and to initiate the steps required to optimize data protection and data security. This should not only involve regularly checking and optimizing the IT systems used and implementing recognized IT security standards. Expert training of staff at regular intervals is an essential part of a sustainable strategy for guaranteeing continued improvement of data protection and data security inside a company. In addition, binding corporate policies and guidelines should also emphasize the binding character and the importance of a responsible handling of personal and other sensitive data.