Responding to Data Breaches: A Data Protection Officer's Perspective

Daniar S, SH, LLM, CIPP/E[1]

A well-known Indonesian e-commerce marketplace was alleged to have experienced a data breach couple weeks ago, resulting in the loss of large amounts of personal user data (including email addresses, hashed passwords and telephone numbers), as well as transaction data, potentially including access credentials and login details for the online e-commerce platform question.[2] It has been reported in the local media that the data of some 15 million users have been ultimately affected. However, according to ZDnet, that figure represents just a small fraction of the data that the hacker responsible (who has subsequently been identified as using the alias Whysodank) managed to gain access to. [3]

The hacked data was subsequently sold via a dark web portal known as Raid Forums for USD 5,000 (the equivalent of IDR 70 million). If a hashed password is successfully unlocked by a hacker, then the relevant password owner risks falling foul of a so-called spear-phishing attack and may ultimately lose control of any data which is held by other marketplaces and online media services. [4] For the record, similar breaches are reportedly occurred in another marketplace.[5]  

When this recent case is viewed from a global perspective, there are clearly significant consequences that come with such acts. For example, in 2019, famous technology company IBM estimated that the average data breach resulted in financial losses amounting to USD 1.42 million and had impacts on the relevant organizations potentially lasting for years (around one or two years on average). Meanwhile, the breach lifecycle (finally contained) was estimated at 73 days as a global average, 51% of which originate through malicious cyber-attacks upon companies.[6]

A data breach is officially understood as a breach of security which can lead to the unauthorized disclosure of stored personal data. A number of different activities can have an impact on personal data, not only disclosures but also destruction, loss, alteration or the gaining of access to data. Breaches also involve the recipients of the data not being officially authorized to access said data.

Whereas data security is a broad concept and not all security incidents necessarily involve personal data breaches, the recent case outlined above is ultimately likely to involve a breach of personal data, as the consequences of the breach will probably lead to a situation in which the relevant controller (a party who determines the purpose and means of data processing) will be unable to ensure compliance with the country’s data protection laws.

In terms of data subjects, the possible consequences of a breach encompass physical, material and non-material damages, including loss of control over any data and loss of confidentiality, including any other significant economic or social disadvantages which are experienced by any other parties. In terms of the company concerned, financial losses are likely to be incurred as a result of the data breach, along with reputational damage, operational disruptions, lost customers, extra costs for discount/customer (loyalty) re-acquisitions, lawsuits and so forth.

Within the legal realm, there are a number of specific provisions that dictate a controller’s obligations if any data breach occurs. In most jurisdictions, controllers are required to notify the relevant public authorities (e.g., BSSN and the Minister of Communications and Information) without undue delay.

For example, the General Data of Protection Regulation (GDPR) determines a time-bar for the reporting of certain types of data breaches. Specifically, such events must be reported within 72 hours of the relevant controller becoming aware of any breaches (dependent on the circumstances of the specific breach). For the vigilantly aware of any breach,  all Electronic System Providers (Penyelenggara Sistem Elektronik -“PSE”) are consequently required to implement security measures (both technical and organizational) aimed at detecting and also responding to and initiating recoveries from any breaches which ultimately take place (e.g. internal findings or third-party claims reporting such breaches).

Moreover, the emphasis is primarily not placed upon when a breach takes place but the initiation of prompt action in order to investigate such incidents and to determine any high-risk security leaks. During this period, the controller should assess likely risk and should not rush to make claims that ultimately prove untrue, such as claiming that the relevant data is still safely in the possession of the controller without specifying any convincing (evidenced) reasons relating to such a claim. The controller should also implement a number of preliminary actions, followed by raising an initial alert regarding suspicious activity or irregularities (by correlating any log data) in relation to security incident(s) that may affect personal data, for example, by examining results from data-flow and log analyzers.

In order to react and address a given breach, several good practices should be observed, which include:

1. All information or indications relating to breaches should be promptly reported to a team established in order to address said incidents, particularly determinations of whether or not a breach has occurred. If not possible for a complete information, gradual submission of report/information is generally promptly allowed;
2. Assessment of risks (e.g. no risk, risk or high risk) should be made in relation to affected or potentially affected individuals;
3. Notification of the relevant authorities followed by the relevant individuals concerned.

Of course, in terms of plan-do-check-act management, controllers should also act in parallel to contain and recover breaches through the use of appropriate technical and organizational measures/tools/processes (including audits and consulting service), as well as keep drawing up of detailed documentation which addresses data breaches.

In this context, the information provided should encompass the following at the least:

1. Nature of breach;
2. Categories and an approximate number of data subjects concerned;
3. Name and contact details of the Data Protection Officer (DPO) or other contact information;
4. Description of the likely consequences of the breach and description of proposed measures that will be implemented in order to mitigate any possible adverse effects.

However, whenever a breach has the potential to affect the legal rights of a data subject, the controller is also required to notify said data subjects of such information via email, SMS or direct message clear and plain language.

According to the prevailing laws, the PSE is obliged to ensure that affected data subjects receive these notifications within 14 calendar days at the latest after having become aware of a breach. The idea here is to enable individuals to take necessary counter-measures or actions in order to anticipate and/or mitigate a breach (e.g. changing their passwords, activating one-time passwords, logging out from any connected devices, migrating or erasing their data, consulting with public authorities/security experts, etc.).

The present alleged case reveals that cybersecurity, specifically the digital infrastructure of online marketplaces and online media services, are far from being immune to cyberattacks. Indeed, PSE should ideally put together incident response teams and routinely test their performance (including response plans), as well as carrying out vulnerability scanning, adopting robust and updated encryption techniques (e.g. SHA2-384 hashing functionality for sensitive databases, security automation and intelligent orchestration capabilities), ensuring compliance with data protection laws and formulating ongoing updates of cybersecurity in order to ensure levels of security appropriate to the relevant levels of risk.    

The author is tech-lawyer with professional tech-related certifications (data, technology, IP attorney, computer programming languages and more) at Bahar law firm. The view expressed are on his own.