Personal Data Breach

Personal Data Breach

What is personal data breach and how is it treated in the Personal Data Protection Act in the Republic of Serbia?

Zlatko Petrović

Assistant Secretary General at Commissioner for Information of Public Importance and Personal Data Protection

What is personal data breach?

Termin “povreda podataka o ličnosti” (eng. Data Breach) u naše zakonodavstvo je ušao sa Zakonom o zaštiti podataka o ličnosti iz 2018. godine, koji je doslovno preuzeo rešenja Opšte uredbe o zaštiti podataka EU (GDPR). U pitanju je “povreda bezbednosti podataka o ličnosti koja dovodi do slučajnog ili nezakonitog uništenja, gubitka, izmene, neovlašćenog otkrivanja ili pristupa podacima o ličnosti koji su preneseni, pohranjeni ili na drugi način obrađivani“.

However, even before the adoption of this law, there were violations of personal data, which were not called that at the time. In the last ten years, the personal data of the citizens of our country was often compromised, and the accumulation of data without a clearly defined purpose, in combination with negligence or malicious intent and clumsy digitalization almost always led to incidents. This irresponsible approach caused more or less risk for those whose data it is about. Also, the citizens themselves were mostly unaware of what was happening with their data.

Dovoljno je samo prisetiti se objavljivanja podataka 5,2 miliona građana na internet prezentaciji Agencije za privatizaciju 2014. godine. Ilustrativan je i slučaj Integrisanog zdravstvenog informacionog sistema (IZIS), zahvaljujući kojem je 2016. godine svaki korisnik interneta mogao da pristupi zdravstvenom kartonu svakog građanina naše zemlje. Zanimljiva je i aplikacija “Izabrani doktor”, koja je 2018. godine omogućavala svakome da pristupi tuđim zdravstvenim podacima.

All of the above cases were essentially examples of personal data breaches, in which the confidentiality and integrity of personal data were violated. The new Law on the Protection of Personal Data raises these two words to the level of principles of personal data processing, so every operator is obliged to take appropriate technical, organizational and personnel measures, so that the data remains preserved and confidential.

 

What are the consequences?

What are the consequences of a personal data breach that gets out of control? A data breach can produce physical, material or non-material damage, psychological problems, loss of control over data, discrimination, identity theft, fraud, financial losses, damage to reputation... Just think of what the unauthorized publication of your health record, school grades, data can lead to from a current account or from an emotional dating application.

The operator, as the main and responsible actor, is obliged to undertake everything in his power to prevent the occurrence of a violation of personal data. This means that he is obliged to undertake a complex of technical, organizational and personnel measures to keep the data safe. The same implies the establishment of protection measures, such as pseudonymization and cryptoprotection, clearly defining mutual roles with processors and other handlers, data mapping and their recording in records of processing actions, and taking measures for the purpose of processing security. This implies the existence of backed-up data, disaster plans, taking measures to maintain the confidentiality, integrity and availability of data and a number of other measures that will ensure that a breach does not occur.

However, if an injury does occur, it should be treated in accordance with the law. If the processor determines that an injury has occurred, he must inform the operator about it without delay. The operator must properly document and analyze any observed violation of personal data.

If the operator determines that the resulting violation may cause a risk to the rights and freedoms of the person to whom the data refer, he must notify the Commissioner of this within 72 hours of learning of the violation. The operator is then obliged to submit a notice to the Commissioner with relevant information about the violation: what happened, how much data is included in the violation, which persons are involved, what are the possible consequences of the violation, and what was done regarding the resulting violation. Along with this notification, he is obliged to submit to the Commissioner a record of the data processing actions that are the subject of the violation.

If the operator determines that the same violation can create a HIGH risk for the rights and freedoms of the person to whom the data refers, then the same person must be informed about the same violation.

That's what the law says. However, is the operator even able to recognize the violation of personal data, when it occurs? Do its employees know how to react if they notice a breach of personal data? How is the operator to determine what happened to the data and whether the violation may cause a risk to the rights and freedoms of the person whose data is in question? If he doesn't know all that - how will he determine whether a data breach can create a HIGH risk for the same rights and freedoms? When we add misdemeanor responsibility for each of these items to all of that - only then does the need for a detailed clarification of the legal provisions arise.

 

 

For a better understanding of what is written in the Serbian Law on the Protection of Personal Data, it is necessary to consult both the provisions of the GDPR and the current Guidelines of European authorities in the field of personal data protection.

First, you should keep in mind that there are three types of personal data breaches:

     

      1. Breach of confidentiality – where there is unauthorized or accidental access or disclosure of data;

      1. Breach of integrity - where there is an unauthorized or accidental change of data;

      1. Breach of availability – where there is an accidental or unauthorized loss of access to or destruction of personal data.

    The handler and the processor should establish appropriate procedures, so that they are able to detect the occurrence of injury and act accordingly. First of all, this implies that the information about the observed violation should be sent to the service responsible for the action, about which procedure the employees must be informed. This service has the task of analyzing and documenting the violation itself, taking measures to reduce the risk and potential damage, and notifying the Commissioner (if the violation may cause a risk to the rights and freedoms of the person to whom the data refer) and the person whose data it is about (if the violation can produce HIGH risk). A person for the protection of personal data must be included in this procedure, if the operator has designated the same person.

    It is considered that a high risk may result in a data breach that may lead to physical, material or non-material damage, and especially if specific types of personal data are compromised (racial or ethnic origin, sex life and orientation, trade union membership, political opinion, biometric, genetic and health data, philosophical or religious belief) or criminal record data. However, a high risk can also exist in other cases, so it is always necessary to take into account what kind of data it is, what is the nature of this data, how much data is involved, to which persons this data refers... In this sense, it is important when determining risk, keep in mind whether the data originates from a hospital, humanitarian organization or political party, whether it relates to children, minority groups, the disabled, and the like.

     

     

    Breach of personal data can occur both with data in automated and non-automated form.

    Data processing in the Internet environment carries special types of risks, so it is necessary for the operator to take modern technical measures in order to prevent possible data violations. One of those special threats is blackmail software (ransomware), which prevents the operator from accessing the data. In such situations, it is necessary to analyze and document the data breach, to determine what kind of software it is, and whether or not there was an unauthorized download (exfiltration) of data. The operator will often not have the appropriate knowledge and resources for this delicate task, so they will have to hire cyber security experts for the same job.

     

    Examples of data breaches are numerous, if the human factor is considered as a potential risk in processing.

    An employee may abuse the right to access data, download or copy it, and further use it in various ways (for personal purposes, for the purpose of selling to a competing company, the media). There are many ways to copy this data, so the employee can copy the data to a USB, print it, burn it to a CD/DVD, take a photo or record it with a mobile phone, send it via email, and store it on a cloud server. Violations of personal data can also happen unintentionally, by sending mail to the wrong address, sending emails to a mailing list using CC instead of BCC option, and the like.

     

    Prevention

    For these reasons, it is necessary to narrow the space for employees to commit such injuries, accidentally or intentionally, through

    • training,
    • assigning data access levels,
    • disabling the use of portable media,
    • exclusive use of encrypted devices,
    • a strict password policy,
    • filtering user activities,
    • tracking unusual data flows on the server,
    • banning the use of devices that can record video in the monitoring center,
    • familiarizing employees with phishing and ransomware attacks and other types of social engineering to which they may be exposed,
    • termination of all data access rights of an employee whose employment relationship has ended,
    • implementing a clean table policy,
    • establishing a print management system, etc.

     

    Necessary technical measures include constant strengthening and improvement of data processing security, establishing a separate backup, using anti-malware detection systems, updating operating systems and installed software , establishing a logging system, an effective firewall and an intrusion detection and prevention system, using a VPN connection, multi-factor authentication, penetration (pen) testing, establishing a Computer Security Incident Response Team (CSIRT) or Computer Emergency Response Team (CERT) in an organization or joining a collective CSIRT /CERT, establishing the possibility of remote data deletion, in case of theft or loss of portable devices.

     

    All these measures represent prevention, in order to enable safe processing and prevent the violation of personal data. However, despite all the measures taken, data breaches do happen, even in the most complex and well-equipped systems. It is up to the operator to do everything in his power to prevent personal data from being breached, and if it does happen - the operator must carefully analyze and document it, and act in accordance with the law, which is in his best interest, but and in the interest of the person whose data is in question.

    Source >>