A data breach communication to the affected individuals requires a high level of detail according to the Italian data protection authority.
Facts of the case
The decision of the Italian data protection authority arises from a data breach that had caused the access to the password of 1.5 million email accounts.
The email provider had promptly forced the change password functionality and informed users through its landing page to change their passwords, limiting the potential access to email accounts to the time window between the data breach and the implementation of such technological change.
Also, the company had notified the data breach to the Italian data protection authority and had performed a data breach communication
- to the affected individuals that had changed their password during the last 48 hours but just informing them of “anomalous activity on the systems” without recommending any further action and emphasizing that the password change had made the previous password useless; and
- to the affected individuals that had NOT changed their password during the last 48 hours, but just informing them of “anomalous activity on the systems” recommending to change the password to prevent the risk of access to email accounts.
The position of the Italian data protection authority on the requirements of a data breach communication
The Garante held that, even if there was no evidence of access to contents of emails, there was a high risk to the rights of the affected individuals as per article 34 of the GDPR since
the acquisition by a third party of authentication credentials for access to a service, regardless of whether this results in actual use for access to that service, is considered to be a potential source of harm to the data subject in view of the likelihood that the same credentials may also be used to access other online services;
As a consequence of the above, there was a continuous risk of identity theft to other accounts, while the company had only considered the risk of access to email accounts subject of the data breach.
Therefore the Italian data protection authority held that there was the need for a new communication of the personal data breach to the data subjects containing
- a description of the nature of the breach and its possible consequences, and
- specific indications on the measures that the data subjects may take to protect themselves from any adverse effects of the breach, such as the recommendation to no longer use the compromised password, by changing the password used to access any other online service if it matches or is similar to the one being breached.
Also, the communication could not be performed utilizing the same email accounts that had been compromised since their users could be different from the relative users of the accounts.
Based on the above, a new data breach communication had to be performed which meets the contents provided by article 34 of the GDPR as interpreted by the Garante and is carried out through a channel of communication able to reach the majority of users of affected email accounts.
The feedback from the decision
This decision is quite interesting since it shows an approach of the Italian data protection authority, which goes beyond the direct consequence of a data breach. A possible argument is that the company had no actual evidence of the usage by the affected individuals of the same password for other accounts, it could not foresee such a scenario, and it could not be liable for circumstances that are out of its control and are based on mere factual assessments.
But, regardless of the arguments against such a decision, it shows a strict interpretation of the Garante on the matter to consider in case of a data breach.
You can read on the same topic “Top 3 lessons learned on how to be ready to handle a data breach.”