June 28, 2022

Volume XII, Number 179

Advertisement
Advertisement

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis

Does a company need to report a lost or stolen laptop under the GDPR?

Possibly. The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries). In instances of a lost or stolen laptop, whether notification will be required depends on whether the data was encrypted or password-protected and on the sensitivity of the data contained on the device. The EDPB states that strong encryption would permit a controller to avoid notification, although the event should be internally documented pursuant to Article 34.

In contrast, notification to both the supervisory authority and the individuals would be required if large amounts of unencrypted personal information were contained on the lost or stolen device, even if the personal data itself was not sensitive.

The guidance is not clear about whether use of a strong password alone, but not encryption, would be sufficient to avoid notification. If the data protected by the password is highly sensitive, then a supervisory authority may find that notification is required, notwithstanding the use of a password.

 

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 71
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jena M. Valdetero Cybersecurity Lawyer Greenberg Traurig Law Firm
Shareholder

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on...

312.456.1025
Advertisement
Advertisement
Advertisement