Security breaches damage a company's reputation

During 2019, more than twenty million security breach communications were made directly from managers established in Spain to interested parties. This proactive communication from data controllers shows the importance for them of properly managing security breaches, such as compliance with the transfer, and as a result, maintaining customer trust in the product or service provided by companies. But what is meant by a security breach? , for Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of individuals with regard to the processing of personal data and the free movement of these data and repealing Directive 95/46/EC, broadly defines “personal data security violations” as”all those breaches of security that result in the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the communication or non-automated access to such data”. It should be noted that, although all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches. When a security breach occurs, the data controller must implement an action plan to minimize and avoid further consequences. If the security breach constitutes a risk to the rights and freedoms of individuals, the Spanish Data Protection Agency (AEPD) must be notified within a maximum period of 72 hours after becoming aware of it. When the security breach may pose a high risk to the rights and freedoms of data subjects, the data controller must inform those affected, without undue delay, of the security breach that occurred. This communication will be made after carrying out a previous analysis, assessing that the communication to those affected does not compromise the outcome of an ongoing investigation; such communication could always be postponed under the supervision of the supervisory authority. Communication to those affected will be made as soon as possible, in clear and simple language and always in close cooperation with the supervisory authority. The objective of this obligation is to eliminate the opacity with which, at times, security breaches have been addressed by some organizations, which have been able to cause a very high risk to those affected, since they have not been informed and have not been able to adopt the necessary measures to protect themselves. An example of lack of transparency was the attack suffered by a teleoperator in 2014 that affected more than 500 million users, who were not aware of the exposure of their personal data until 2016, that is, we are talking about two years later. Inadequate management of security breaches causes damage to the reputation of companies, since there are no internal policies that promote the implementation of effective and diligent data management and governance models. Adequate action in the face of a security breach can bring a direct benefit to the data controller, not only because of compliance with legal obligations, but also because of the impact on the company's reputation, such as the loss of trust on the part of customers. Nowadays, corporate reputation is an increasingly important asset within organizations as an instrument that creates trust and loyalty in their products or services, within a markedly competitive environment. We are dealing with an intangible asset, which does not appear in the company's “profit and loss”, but more and more companies are aware that reputation has a direct economic impact. For all of the above, the implementation of a security breach protocol within organizations, together with the development of internal policies, the implementation of appropriate security measures, including the necessary intrusion detection and analysis systems that allow the protection of private data and the company's private information, as well as such as the establishment of mechanisms to prevent computer attacks, considerably reduces the occurrence of security breaches within organizations. But if it were to happen, taking into account the above, action could be taken more quickly and quickly, avoiding the consequent reputational damage.

Guadalupe Tejela (T&L Attorney)