Pet peeve alert: it bugs me every time I see “personal data breach,” “security breach” or “security incident” defined in a DPA to include “suspected” as well as “actual” breaches or incidents.
The GDPR definition of “personal data breach” is perfectly adequate:
“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Clearly the GDPR is only concerned with actual security breaches.
Yet time after time I see definitions in DPAs such as the following (a recent real-life example):
Personal Data Breach means any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed. (emphasis added)
This definition closely tracks the GDPR definition, but tosses in the phrase “actual or suspected.”
The illogic of including “suspected” security breaches should be obvious. A “suspected” security breach can’t lead to the accidental or unlawful destruction, loss, etc. of personal data. Only an actual security breach can. A data processor may “suspect” a security breach that, upon closer inspection, turns out to be a mirage. Or it may have been a hacking attempt that was successfully repelled by the data processor’s firewalls.
The distinction matters because including suspected security breaches in the defined term carries with it legal consequences. There may be obligations to remediate and report all security breaches. There may be liability attached to security breaches. Failure to comply would likely be a material breach of the DPA.
But why should those obligations/liabilities apply to merely suspected security breaches? Certainly the usual litany of reporting obligations (root cause analysis, description of the nature of the incident, categories and number of individuals impacted, number of personal data records implicated, location/residency of impacted individuals, measures taken to mitigate impact, etc.) have no application until a security breach is confirmed to have actually occurred.
Let’s defer to the wisdom of the GDPR drafters and limit DPA obligations concerning security breaches to actual breaches. Those are the only security breaches that matter.