Do all malware attacks need to be reported under the GDPR?
The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries). The guidance includes how to respond to a malware attack, which is malicious software injected into a company’s server for nefarious purposes. Malware can represent a classic example of a confidentiality breach exposing personal data held by a company in its servers.
The EDPB reiterates in the guidance that whether a data exfiltration attack should be reported depends on the nature, sensitivity, and volume of personal data at risk. What is somewhat surprising is the EDPB’s suggestion that notification to both the supervisory authorities and the data subjects would be required if a breach could result in exposure of a large enough volume of personal data about individuals to expose them to the risk of unsolicited marketing. That same risk that, while annoying, would fall far short of requiring notification under U.S. breach laws.
In contrast, in the case of exposure of usernames and hashed (not plain-text) passwords, the EDPB states that while notification to the data subjects is advisable, it would not be required if the salted hash was done using a state-of-the-art algorithm.