How to manage a security breach involving personal data

In case of a security breach involving personal data, you should immediately report it to dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se) and servicedesk [at] lu [dot] se (servicedesk[at]lu[dot]se).

It is crucial that the reporting occurs promptly so that the rights of those affected by the incident can be addressed, and if necessary, reporting is made to the Data Protection Authority (IMY) within the time frame stipulated by the data protection regulation (72 hours from the organization's awareness of the incident). If you are uncertain whether a breach has occurred, please contact the data protection officer for guidance.

Dataskyddsombud [at] lu [dot] se

What is a personal data breach?

A personal data breach means that something unexpected happens to personal data. It can be that the data is destroyed, lost, altered, or that someone unauthorized gains access to it.

Consequences can be:

• Physical or psychological harm
• Discrimination
• Identity theft
• Financial loss
• Damaged reputation

It can also mean that encryption or protection of the data is broken, or that confidential information leaks out. At the bottom of the page are a number of examples of personal data breaches.

How can I identify a security breach involving personal data and provide details about its extent?

Checklist:

Here is information that is good to have to assess the incident. Contact us at dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se) for support and help.

Type of incident: Has a security incident occurred that has led to:

• Accidental or illegal destruction
• Lost access
• Loss or alteration of personal data
• Unauthorized disclosure or unauthorized access to personal data

Location of the incident: Has the incident occurred at LU or at a data processor?

Affected individuals:

• How many individuals have been affected?
• How many data points of the individuals have been affected?

Groups of individuals: Which groups do the individuals belong to, for example employees or students?

Type of personal data: What kind of personal data is involved in the incident?

Consequences:

• What can the consequences of the incident be?
• How serious is the incident considering the integrity of the individuals?

Examples of personal data security breaches within higher education and other sectors:

1. A personal data controller saves a backup copy of an archive containing personal data on a USB memory stick. The USB stick is then stolen during a burglary.  

2. A personal data controller runs an online service. As a result of a cyberattack on that service, individuals’ personal data is filtered out.

3. Personal data from a large number of students is sent by mistake to the wrong mailing list with over 1 000 recipients.

4. An email for direct marketing purposes is sent to recipients in the field "To:" or "Cc:", which makes it possible for all recipients to see the other recipients’ email addresses. 

5. A power outage for a few minutes at a personal data controller’s call centre results in clients not being able to call the personal data controller and gain access to their data.  

6. A personal data controller is subject to an attack using ransomware, which leads to all data becoming encrypted. There are no backups and the data cannot be restored. Upon closer inspection, it turns out that the sole purpose of the attack was to encrypt the information, and that there is no other malware in the system.

7. A person calls a bank’s call centre to report a personal data breach. The person has received another person’s monthly account statement. 

8. A personal data controller runs an online marketplace. The marketplace is subject to a cyberattack and the attacker publishes the usernames, passwords and purchase history online.

9. A web host that acts as a personal data processor discovers an error in the code that controls user authorisation. The error results in all users being able to access all other users’ account information.

10. Patients’ hospital records are not available for 30 days due to a cyberattack.

Security measures for personal data

Matters concerning security measures for personal data shall be handled in accordance with a coherent framework for information security. Supported by such a framework, different types of information, for example personal data, are classified based on certain parameters. Sensitive personal data and personal data which warrants special protection receive a higher classification and thus have higher protection value than other personal data. Based on the classification and risk assessments et cetera different roles are responsible for ensuring that the right protection is in place. For example system owners are to communicate which IT systems can be used for different types of information.

Work in this area is underway with the aim of implementing a new and approved framework. The work is run by the university’s Chief Information Security Officer and is expected to take some time to complete.

Until the aforementioned framework has been approved, the Data Protection Officer provides guidance based on the security principles in the General Data Protection Regulation (GDPR).

Recommendations:

• Pseudonymise personal data used in research if the purpose of the processing can still be fulfilled.
• Ensure an appropriate level of security with regard to the sensitivity, amount etc. of the personal data. This applies, for example, to IT-related protection such as storage, encryption and access control. Some of these IT services are offered by local IT units, LDC or system owners.  
  • Consider encryption and encoding
  • Consider logging and follow-up
  • Make sure to back up your storage solution

For further support on issues concerning security measures for personal data, please contact our Chief Information Security Officer Ingegerd Wirehed. You may also send questions and matters to the function email address below, pending the approval and implementation of a new information security framework.

informationssakerhet [at] lu [dot] se (informationssakerhet[at]lu[dot]se)