Security incidents: what to do?
Any business that, to a greater or lesser extent, has started or has thought about starting its digitisation process may become a victim of a cyber-attack.
Websites, apps, or e-commerce managed by businesses are almost always on third-party servers and, therefore, however small your business, if the target of the attack are the servers of major companies hosting the contents of their clients, then nobody is free from being a victim of an attack.
These major companies often have measures to minimise the risks, but they are never 100% safeguarded. What happens, however, if the personal data of your clients, employees or the recipients of your newsletter is put at risk during the attack?
What does the data protection regulation have to say about security incidents?
Until the GDPR came into force (May 2018), there was an obligation for the internal control and registering of any incident that might affect the security of personal data. The incident had to be identified, and steps taken to minimise or eliminate it before it could be formally closed. Since 2018, this formal obligation has included another two steps:
- Reporting the incident to the Data Protection Agency.
- Informing the people involved.
Information to the Data Protection Agency (AEPD)
The AEPD has published an extensive Guide on how to manage security incidents. This Guide and current regulations clearly establish the obligation to report any security incident to the AEPD within 72 hours.
A channel has also been set up to do so on line. The only exception to the notification is when you are able to prove that the incident is of no risk to the people involved.
The examples given by the AEPD for no notification include when the personal data affected by the incident has already been published by another channel. Therefore, if this is not the case then notification will be mandatory.
Information to the people involved
Where a high risk is determined for the people involved in the incident (e.g. password theft), they must also be notified in person, indicating the measures they can take to minimise the risks (e.g. immediate password change).
Recommendations regarding security incidents
Any company or self-employed individual could be involved in a security incident (who has never lost a USB drive?) and, therefore, certain minimums must be available to meet this obligation:
- Your personnel must know what an incident is and what to do if they recognise one, and must be provided with minimum information on the most common attack techniques (social engineering).
- Make sure you have the latest antivirus and anti-malware versions.
- Update the software in the company regularly.
- Make sure your suppliers inform you if they become aware of an incident that affects the data on your business.
In short, although small businesses are increasingly placing their business in the hands of others (or precisely because of this), this does not free them from being victims of attacks and, where this is the case, of the obligation of complying with the data protection regulation.
Víctor Roselló Mallol, lawyer.