March 2, 2021

Volume XI, Number 61

Advertisement

March 01, 2021

Subscribe to Latest Legal News and Analysis

Do all malware attacks need to be reported under the GDPR?

The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries). The guidance includes how to respond to a malware attack, which is malicious software injected into a company’s server for nefarious purposes. Malware can represent a classic example of a confidentiality breach exposing personal data held by a company in its servers.

The EDPB reiterates in the guidance that whether a data exfiltration attack should be reported depends on the nature, sensitivity, and volume of personal data at risk. What is somewhat surprising is the EDPB’s suggestion that notification to both the supervisory authorities and the data subjects would be required if a breach could result in exposure of a large enough volume of personal data about individuals to expose them to the risk of unsolicited marketing. That same risk that, while annoying, would fall far short of requiring notification under U.S. breach laws.

In contrast, in the case of exposure of usernames and hashed (not plain-text) passwords, the EDPB states that while notification to the data subjects is advisable, it would not be required if the salted hash was done using a state-of-the-art algorithm.

Advertisement
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 50
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Jena M. Valdetero Cybersecurity Lawyer Greenberg Traurig Law Firm
Shareholder

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on...

312.456.1025
Advertisement
Advertisement