(by Federica De Stefani, lawyer and head of Aidr Regione Lombardia) We hear (more and more) often talk of data breach and the request that derives from it, almost naturally, concerns the possibility of avoiding it or, at least, of containing it.
The answer, unfortunately, is negative, it is not possible to avoid a data breach since "zero risk" does not exist.
It is certainly possible to limit the opportunities to fall into the "trap" of the cyber incident and it is also possible to limit the consequences that derive from it, but this is a different matter.
To understand the phenomenon of the data breach, very often identified exclusively with a hacker attack, it is necessary to understand what it is.
What is the data breach
The term "data breach" indicates a security breach that involves - accidentally or illegally - the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
As you can see, a data breach can lead to the loss of data that does not derive from a hacker attack, but it can also derive from the loss of the availability of the same, as happens in the hypothesis in which there is, for example, a theft of a device .
When the data breach occurs
The types of data breach are quite varied and therefore, by way of example, we can indicate the access or acquisition of data by unauthorized third parties, the theft or loss of IT devices containing personal data as falling within the case. the inability to access the data due to accidental causes or external attacks, viruses, malware, etc., the deliberate alteration of personal data, the loss or destruction of personal data due to accidents, adverse events, fires or other disasters, the unauthorized disclosure of personal data.
Where a data breach can occur
A data breach, understood, as mentioned, as a violation that affects the availability, integrity and confidentiality of data, can concern any area, both physical and digital.
Think, for example, of the destruction of a paper archive, or the theft of documents or, again, their tampering and alteration.
The subjects affected by a data breach
A data breach represents an event that, depending on the specific characteristics of the individual case, can involve different subjects.
The data controller is the person who, pursuant to art. 33 GDPR, must be activated without undue delay and, where possible, within 72 hours from the moment in which it became known, to notify the violation to the Guarantor for the protection of personal data, except for the hypothesis in which it is unlikely that the violation of personal data entails a risk for the rights and freedoms of individuals. On the contrary, if the violation presents high risks for the rights and freedoms of natural persons, the owner, always without delay, must also inform the interested parties. In the event that a Data Processor has been appointed when he becomes aware of a violation, he is required to promptly inform the owner so that he can take action.
The causes of a data breach
As mentioned, the data breach is a security breach that involves - accidentally or illegally - the destruction, loss, modification, unauthorized disclosure or access to the data processed and this means, in practice, that the security measures taken have not worked. However, we must not fall into the error of automatically associating the data breach with the adequacy of the measures adopted to derive sic et simplicter a (objective) responsibility of the data controller. The question is much more complex, given that the GDPR does not provide for a liability of this kind on the part of the owner, but provides for the possibility for the same to demonstrate that he has done everything in his power to protect the data processed.
The human factor and the importance of training
If on the one hand the data breach event cannot be totally eliminated, as, as anticipated, zero risk does not exist, on the other hand it is necessary to ask oneself about the strategies and measures to be adopted to minimize the risk.
Beyond the “adequate” technical and organizational measures, as in the terminology of the European Regulation, an important part of prevention is represented by staff training.
To date, the human factor still represents a rather widespread Achilles' heel in many realities, even structured and large ones.
The lack of adequate and specific training, the absence of adequate policies on the use of IT tools and procedures, are still today rather widespread causes of data breaches.
The crux of the matter is represented not only by the type of protection adopted, but also by the methods of application of the same, by the updating and specific training given to the subjects who process the data.
In fact, it must not be forgotten that compliance must take place on several levels, must be transversal and cannot only concern the technical side and cybersecurity, but also the organizational and procedural aspect as regards the so-called human factor.