Security Breach Management

What Is a Security Breach?

A personal data security breach (or "security violation") is any incident causing the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Art. 4.12 GDPR defines it broadly, covering three types:

1. Confidentiality breach: Unauthorized access or disclosure (e.g., an employee accesses client files without justification, or an email with personal data is sent to the wrong recipient).
2. Integrity breach: Unauthorized alteration of data (e.g., an attack modifying client contact details in the firm's database).
3. Availability breach: Loss of access to or destruction of data (e.g., ransomware encrypts the firm's case files with no accessible backup).

Common Examples in Law Firms

• Theft or loss of an unencrypted laptop or phone containing client data.
• Mass email sent with addresses in visible copy (CC instead of BCC).
• Unauthorized access to the firm's practice management system through compromised credentials.
• Document destruction without a secure destruction protocol.

Notification to the AEPD (Art. 33 GDPR)

The data controller must notify the AEPD of the breach within a maximum of 72 hours from becoming aware of it. If notification is made late, it must include a justification for the delay.

The notification must include: nature of the breach (type, categories of affected data, approximate number of data subjects), DPO or contact point name and details, likely consequences, and measures taken or proposed to remedy the breach and mitigate its effects.

Exception: Notification is not required if the breach is unlikely to pose a risk to individuals' rights and freedoms. But this decision must be documented and justified.

The AEPD provides a notification form on its electronic portal. The process can begin with a preliminary notification (when full information is not yet available) and be completed with successive notifications.

Communication to the Data Subject (Art. 34 GDPR)

In addition to notifying the AEPD, when the breach poses a high risk to the rights and freedoms of those affected, you must communicate directly with them. The communication must describe in clear language: the nature of the breach, DPO or contact point details, likely consequences, and measures taken plus recommendations for self-protection.

Communication is not required when: technical measures render data unintelligible (such as encryption), subsequent measures eliminate the high risk, or it would involve disproportionate effort (in which case a public communication may be made).

Breach Register

Regardless of whether you notify the AEPD, Art. 33.5 GDPR requires that you document all security breaches in an internal register. This register must include: the facts, their effects, and corrective measures taken. It serves as compliance evidence and the AEPD may request it during any inspection.

Recommended Response Protocol

1. Detection and containment: Identify the incident, isolate affected systems, stop the breach if possible.
2. Initial assessment: Determine the scope (what data, how many data subjects, what risk level).
3. Notification decision: Is there risk to data subjects' rights? If likely, notify the AEPD within 72 hours.
4. Data subject communication: Is there high risk? If so, communicate directly and clearly with those affected.
5. Record and document: Document the entire process in the breach register.
6. Post-incident analysis: Identify the root cause and implement measures to prevent recurrence.

Sanctions for Non-Notification

Failing to notify the AEPD of a breach, or notifying late without justification, can lead to significant sanctions. The AEPD has imposed fines ranging from 60,000 to 600,000 euros for breach management failures. Under the GDPR, sanctions can reach up to 10 million euros or 2% of annual global turnover.