Security breaches damage company reputation

During 2019, more than twenty million security breach communications were made directly from the controllers established in Spain to the data subjects. This communication, in a proactive way, by the data controllers shows the importance for them of a proper management of security breaches, as compliance with the transfer, and consequently to maintain the trust of customers to the product or service provided by the companies.But what is meant by security breach, for Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, defines broadly, "security breaches of personal data" as "any breach of security leading to the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or to unauthorized communication or access to such data". It should be noted that, although all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches.When a security breach occurs, the data controller must put in place an action plan to minimize and avoid further consequences. If the security breach constitutes a risk to the rights and freedoms of individuals, the Spanish Data Protection Agency (AEPD) must be notified within 72 hours of becoming aware of it.When the security breach may entail a high risk to the rights and freedoms of data subjects, the data controller must notify those affected, without undue delay, of the security breach that has occurred. This communication shall be made after a prior analysis, assessing that the communication to data subjects does not compromise the outcome of an ongoing investigation; such communication may be postponed under the supervision of the supervisory authority. The communication to the affected parties shall be made as soon as possible, in clear and simple language and always in close cooperation with the supervisory authority. The aim of this obligation is to eliminate the opacity with which, on occasions, security breaches have been dealt with by some organizations, which have caused a very high risk to those affected, as they have not been informed and have not been able to adopt the necessary measures to protect themselves. An example of lack of transparency was the attack suffered by a teleoperator in 2014 that affected more than 500 million users, who were not aware of the exposure of their personal data until 2016, that is, we are talking about two years laterThe inadequate management of security breaches causes damage to the reputation of companies, as they do not have internal policies that promote the implementation of effective and diligent data management and governance models. Adequate action in the event of a security breach can be of direct benefit to the data controller, not only because of compliance with legal obligations, but also because of the impact on the company's reputation, such as the loss of customer confidence.Today, corporate reputation is an increasingly important asset within organizations as an instrument for building trust and loyalty for their products or services, within a highly competitive environment. We are dealing with an intangible asset, which does not appear in the "profit and loss" of the company, but more and more companies are aware that reputation has a direct economic impact.For all these reasons, the implementation of a security breach protocol within organizations, together with the development of internal policies, the implementation of adequate security measures, including the necessary intrusion detection and analysis systems to protect the data of individuals and the company's private information, as well as the establishment of mechanisms to prevent computer attacks, considerably reduces the occurrence of security breaches within organizations. But in the event of such a breach, taking into account the above, it would be possible to act faster and more agile, avoiding the consequent reputational damage.

Guadalupe Tejela (Attorney T&L)