Data Breach

Definition

A data breach, officially termed a personal data breach, is defined under Article 4(12) of the General Data Protection Regulation (GDPR) as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Article 33 GDPR requires the controller to notify the competent supervisory authority of a data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Under Article 34 GDPR, the affected data subjects must also be notified if the breach is likely to result in a high risk to their rights and freedoms. This notification obligation is waived if appropriate protective measures such as encryption had been implemented.

Simply Explained

Imagine you accidentally leave a briefcase containing confidential client documents on a train. Or a burglar breaks into your office and photographs the files on your desk. In both cases, confidential information has ended up in the wrong hands, once through carelessness and once through a deliberate act.

A data breach is the digital equivalent: personal data reaches unauthorized parties or is lost. This can happen through a hacking attack, but also through everyday mistakes: an email sent to the wrong recipient, an unsecured USB stick, or a laptop forgotten in a cafe. The GDPR treats all these cases equally seriously and requires swift action.

Why Does It Matter?

Data breaches can pose an existential threat to businesses. The consequences extend far beyond financial penalties:

• Notification Obligation: The 72-hour deadline for notification to the supervisory authority is one of the strictest deadlines in the GDPR. Violation of the notification obligation is an independent sanctionable offense.
• Fines: For violations of the notification obligation, fines of up to 10 million euros or 2% of annual revenue apply. For the breach itself, if attributable to inadequate protective measures, fines of up to 20 million euros or 4% of annual revenue may be imposed.
• Reputational Damage: The obligation to notify affected individuals means that data breaches become public. The loss of trust among clients and partners can be more damaging in the long term than the fines themselves.
• Compensation Claims: Data subjects have a right to compensation under Article 82 GDPR, including for non-material damages. Class action lawsuits following data breaches are increasing.
• Prevention Pays Off: The cost of adequate protective measures is regularly far lower than the cost of a data breach, which according to the IBM Security Report 2024 averages 4.88 million US dollars.

Practical Example

A property management company uses email for communication with tenants and property owners. An employee sends a utility bill containing personal data (names, addresses, bank details) to the wrong tenant by mistake. The wrong recipient replies and points out the error.

This is a reportable data breach: personal data has been disclosed without authorization. The company must inform the supervisory authority within 72 hours and notify the affected tenant. The incident must be documented in the internal register of data protection violations.

Had the property management company used a secure upload platform, the breach would have been avoided: the tenant would have submitted their documents through a personal upload link, and the utility bill would have been delivered through a password-protected share link accessible only to the authorized recipient.

How SendMeSafe Implements This

SendMeSafe minimizes the risk of data breaches through multiple layers of protection:

• No Email Transmission of Sensitive Data: Instead of sending files via email, you create secure upload links for receiving and share links for delivery. The risk of sending data to the wrong recipient is drastically reduced.
• Encryption: All files are stored with AES-256 encryption and transferred over TLS 1.3. Even in case of unauthorized access to the storage, the data is unreadable. This may waive the obligation to notify affected individuals (Article 34(3)(a) GDPR).
• Access Control: Password-protected links, expiration dates, and download limits ensure that only authorized individuals can access data.
• Audit Trail: Complete logging of all access enables rapid determination of the scope and affected data in case of a breach, which is essential for the 72-hour notification to the authority.
• Technical and Organizational Measures: Comprehensive security measures, from hosting in Germany to role-based access controls, minimize the risk of a breach from the outset.
• Automatic Deletion: Through expiration dates for links and files, sensitive data does not remain available indefinitely, reducing the risk of a future breach.

Frequently Asked Questions

Must every data breach be reported?

Not every data breach must be reported to the supervisory authority. Under Article 33 GDPR, the notification obligation is waived if the breach is unlikely to result in a risk to the affected individuals. This is the case, for example, when the affected data was encrypted and the key was not compromised. However, every data breach must be documented internally, regardless of whether notification is required.

What must the notification to the supervisory authority contain?

The notification must describe the nature of the breach, state the categories and approximate number of affected individuals and data records, provide the name and contact details of the Data Protection Officer, describe the likely consequences of the breach, and outline the measures taken or proposed to remedy it. If not all information is immediately available, it can be provided in stages.

How can I prevent data breaches?

The most effective preventive measures are: encryption of all personal data, access restrictions based on the need-to-know principle, regular employee training, two-factor authentication for all accounts, use of secure platforms instead of email for exchanging sensitive documents, regular security updates, and a documented deletion policy to minimize the amount of stored data.

What does a data breach cost?

Costs are composed of multiple factors: fines from supervisory authorities, costs for notifying affected individuals, forensic investigation, legal counsel, compensation claims, and reputational damage. According to the IBM Security Report 2024, the average total cost of a data breach is 4.88 million US dollars. For small and medium-sized businesses, even smaller breaches can be existentially threatening.