What are the key points that solicitors need to consider when responding to data breaches and incidents – and exactly when do you need to inform the Data Protection Commission? Brendan Quinn prepares your minority report.

Solicitors’ work can involve high-risk processing, in particular where it involves the handling of client funds and payment details for transactions. Personal data processed in litigation can, when contentious, involve lots of special category or criminal-offence data, or the processing of data on individuals that the GDPR considers vulnerable, including employees, and family court matters.

The Data Protection Commission (DPC), in particular, considers controllers’ processing of children’s data to be a high priority for enforcement. Also, case law of the European Court of Human Rights has emphasised the need to actively protect children from data breaches involving the risk of identity theft.

Data breaches cover a wide range of scenarios, including ransomware, malware, phishing attacks, the loss of an unencrypted laptop, or even the loss or destruction of paper files.

This article summaries the key points and matters solicitors need to consider when responding to an incident. Solicitors working in-house, for example, in financial services and the telecommunications sectors, can also have reporting obligations under other legislation.

DPC enforcement

The GDPR introduced mandatory reporting requirements for breaches. The focus of the DPC until recently was on giving guidance to controllers, rather than on enforcement.

In November 2021, DPC spokesman Graham Doyle indicated that the DPC would be changing its approach on data breaches in the future and would not engage in all notifications but, instead, would assess cases focusing more specifically on areas where enforcement was warranted.

This would include both international technology and local breaches. Therefore, solicitors should expect that some breaches will result in fines and other sanctions that could have an impact on their clients and the legal profession as a whole.

Many factors are driving the growth in breaches. These include the discovery of new vulnerabilities as targets grow and as all industries become digital, and more processes are moved online.

While other laws required the reporting of breaches, the GDPR created a more general regulatory requirement to report breaches that posed risks to individuals.

Incidents must be documented, even where an assessment determines that reporting is not required. As communications need to be made to individuals when there is a high risk to their rights and freedoms, this has generally raised public awareness, in particular of the risks of financial loss and identity theft.

The risk of fines and reputational damage has led to a ‘trickle-up’ awareness among senior management in controllers of all sizes that data protection is not just ‘an IT issue’.

GDPR requires certain breaches to be notified to the DPC within 72 hours – and where there is high risk to the affected individuals, without delay. An incident can be as simple as sending someone’s details to an incorrect person, but can become complex where there are many individuals affected.

If there is an international dimension or client data leaked by a breach, this could fall under another data-protection authority’s jurisdiction or, indeed, a different industry regulator. Additionally, a non-breached controller might still have liability to affected individuals through being part of the supply chain where the parties are joint controllers.

Breaches can have serious consequences beyond data protection – legal, financial, and reputational – for solicitors, their clients, and other stakeholders. The requirement to report breaches to both the DPC and the affected individuals creates greater visibility, awareness, and risks.

There can be various impacts, ranging from costs through to the loss of contracts and future revenue, insurance claims and resulting extra costs, the potential for litigation and resulting bad publicity, lost clients, trust, and confidence.

In a worst-case scenario for some businesses, a breach can put them out of business.

Therefore, solicitors should actively implement safeguards to minimise the risk of breaches occurring, through staff training, appropriate security, and technical and organisational controls to protect their data.

This is particularly important in the case of solicitors, due to the special importance and value attaching to legal professional privilege.

Every incident should trigger a decision as to whether change is required to processes, or whether to report the incident as a breach. Security, on the other hand, involves an ongoing assessment of technical and organisational controls and how best to assess and respond to the evolving threats and risks to individuals in processing data.

Enforcement action breaches

Article 4(12) describes a personal-data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Specifically mentioning the transmission and storage of data emphasises that these situations can lead to greater risks of harm to individuals. Solicitors require a process to show that they have considered the risks to individuals, and have mitigated any risks that arise in the event of a security incident.

Failure to implement appropriate security measures has featured prominently in fines. The following are the most common breaches, and the technical and organisational measures cited, in data protection authority (DPA) decisions.

Control failures: Normally, a controller will be assessing the risks to personal and sensitive data of ‘Type 1’. Confidentiality breaches generally involve unauthorised disclosure of, or access to, data. Examples of control failures from DPA decisions resulting in fines are:

• Controls for monitoring access rights to user accounts,
• Controls for monitoring access rights to, and the use of, databases storing personal data,
• Use of server-hardening techniques to prevent unauthorised or illegitimate access
• to administrator accounts,
• Encrypting personal data, particularly special category data contained in email attachments,
• Use of two-factor authentication to prevent unauthorised access to web-based applications,
• Controls on the storing of particularly sensitive data in cloud applications,
• Strict access controls for applications on a ‘least-privilege’ basis, and safeguards to ensure that individual access is removed when no longer necessary,
• Carrying out reviews of logs to prevent unauthorised access to files,
• Individuals storing personal data on personal devices without enterprise-level security,
• Sending personal data to an incorrect recipient.

Integrity breaches: ‘Type 2’ integrity breaches include unlawful destruction or alteration of data. Examples from DPA decisions where
fines have been imposed include:

• There should be regular penetration testing to test the resilience of systems,
• Passwords should be encrypted and not stored in plain-text unencrypted files on servers,
• Controllers should log and monitor failed access attempts in particular to online processing systems.

Personal-data availability: ‘Type 3’ – the availability of personal data that includes accidental destruction or unauthorised loss – has not featured prominently in the regulator’s decisions.

When to notify a breach

Not all personal data breaches need to be notified to the DPC. The notification obligations under the GDPR are only triggered when there is a breach that is likely to result in a risk to the rights and freedoms of individuals. In reporting to individuals, note that the means used should maximise the chance of communicating appropriate information to those individuals.

Step 1: solicitors should describe and consider the cause of the incident and the people, devices, or systems affected.

Steps 2 and 3need to be considered together to assess potential high risks. Remember, where there is a risk to individuals, then it needs to be reported to the DPC. Where it is high risk, it needs to be reported to both the individuals and the DPC.

Step 2 considers the high risks. The GDPR Recital 85 explains that a high risk exists when the breach may lead to physical, material, or non-material damage for individuals such as:

• Loss of control of their personal data,
• Limitation of their rights,
• Discrimination,
• Identity theft,
• Fraud,
• Financial loss,
• Unauthorised reversal of pseudonymisation,
• Damage to reputation, and
• Loss of confidentiality of personal data protected by professional secrecy.

The above list is not exhaustive, and can include other significant economic or social disadvantage.

Step 3 considers the factors affecting the risks and makes an assessment. The factors relevant as part of this assessment are:

• The type of breach: whether ‘confidentiality’, ‘availability’, or ‘integrity’,
• The nature, sensitivity, and volume of personal data: if a significant volume of special-category data is compromised, this would constitute a significant risk to individuals,
• Ease of identification of individuals: how easy, or difficult it would be to identify specific individuals based on the compromised data,
• Severity of consequences for individuals:consideration must be given to the potential damage to individuals, whether there might be malicious intentions behind the breach, and the permanence of the consequences for the individuals,
• Special characteristics of the individual: consideration must be given to children and other vulnerable individuals who may be placed at a greater risk of danger due to a breach,
• Number of affected individuals, and
• Special characteristics of the data controller:consider that there is a greater threat if special-category medical data, identity, or financial details are stolen. Controllers must consider the severity of the risk on the individual, and the likelihood of occurrence.

Notification and documenting

Notification is not required where the breach is unlikely to result in a risk to the rights of individuals – for example, if the data is encrypted or can be remotely deleted. In effect, the controller makes an assessment and keeps records.

The controller must document any personal-data breach, including the facts, its effects, and remedial action taken – even where the breach is not notifiable to the DPC.

In documenting the breach, the controller should record at least the following details:

• The cause of the breach,
• Description of the breach,
• Effects and consequences,
• Mitigating actions taken,
• Reasons behind the mitigating actions undertaken, and
• Reasons for not notifying a breach, including reasons why the breach was not considered likely to result in a risk to the individuals.

How to prepare

• Develop and implement a data-breach response plan,
• Implement training programmes for employees,
• Develop templates for breach notifications,
• Consider test procedures on high-risk applications,
• Apply appropriate security measures to protect high-risk data, and finally
• Use privacy-enhancing technologies. 

Read and print a PDF of this article here.