A data breach notification or “data breach notification” refers to the process by which an organization or company is required to notify the relevant data protection authorities and, if applicable, data subjects of a data breach that is likely to result in a high risk to the privacy or fundamental rights of the data subject. This breach involves the personal or confidential data of individuals stored or processed by the organization and affected in an incident.
There are several incidents in which a data breach may occur, including:
- Cyber Incident / Attack: When a malicious party penetrates a company’s computer systems and is able to access personal data and, if necessary, copy it away (keyword Ransomeware attacks).
- Phishing attacks: When employees are tricked into revealing confidential information by falling for fake emails or websites.
- Lost or stolen devices or records: When physical devices such as laptops, smartphones, USB drives, or even paper records are lost or stolen and have personal data stored on them.
- Human error: When employees inadvertently publish or disclose personal data without taking the necessary measures.
In the event of a data breach notification, the following must be observed:
- Timeframe: Most privacy laws require that data breaches be reported as soon as possible, often within a specified period of time after the breach is discovered. (In Switzerland, the notification should be made “as soon as possible”).
- Breach Information: The notification must include detailed information about the breach, including when the incident occurred, the type of data breached, the number of individuals affected, and the potential impact.
- Notification of data subjects: In many countries and regions, companies are required to notify data subjects of the data breach, especially if the breach involves their personal data. This notification should be clear and understandable.
- Notification to supervisory authorities: Depending on the data protection legislation, organizations may also need to notify the relevant data protection authorities of the breach.
- Remedial action: The notification should also include information on what steps the company has taken or intends to take to remedy the violation and prevent future violations.
The exact requirements for data breach notification may vary by country and region. For example, the European General Data Protection Regulation (GDPR) has set strict requirements for data breach notification in the European Union. In Switzerland, the Data Protection Act (DSG) applies to private individuals, in particular Art. 24, and the cantonal data protection laws apply to public bodies.
Swiss laws provide for notification to the authorities when the data breach is likely to result in a high risk to the personality or fundamental rights of the data subject. This makes it clear that in the event of a possible breach of data security, a risk analysis must always be carried out from the point of view of the data subject. This differs from the inward-looking risk analysis in that the issues of the company or organization do not have to be taken into account, but the impact on the person concerned is assessed. It is not a question of how quickly the company is up and running again in the event of a cyber incident, but rather of the potential damage caused to the people affected by the stolen personal data. In the event of an incident, the security officer or CISO and the data protection officer must therefore work closely together, exchange the current state of knowledge with each other on an ongoing basis, and perform appropriate risk analyses.
Who must report?
The persons responsible for data processing are obliged to notify. Contract processors such as cloud or SaaS providers report data breaches to the controller. Individuals affected by a data breach also report such breaches under this notification requirement.
How must be reported?
The FDPIC has had an online data breach notification service(https://databreach.edoeb.admin.ch/report) since the new data protection law came into force on September 1, 2023. With this online service, both new reports and follow-up reports are possible. The data protection supervisory authorities of many cantons have also published corresponding forms and fact sheets for their area of responsibility.
Conclusion: In the event of an incident involving a possible data breach, such as a cyber attack, the authorities must be informed immediately if this breach is likely to pose a high risk to the personality or fundamental rights of the data subject.
Daniel Spichty /0923