Jump to Navigation

 

4.4 [DETAILS] Handling a Data Breach

The most common situation where an account is required and provided is a data breach scenario. As part of an accountability policy, legal and normative obligations, with respect to the information of associated parties in case of abnormal behaviour, such as data breach or policy violation, should be expressed in the form of rules. Currently, the requirement for information about such events is not explicitly derived from the regulatory framework, resulting in a lack of proper information about data leakage and violations happening in the cloud service provisioning chain. Further details are given about data breach reporting obligations in the following section (4.5).

In D23.2 [31], we have presented examples for the expression of the account relating to information about the resulting notification for an abnormal event. A4Cloud introduces an obligation for generating notifications about abnormal events (Obligation O18) - see Appendix 8.1. This type of account should be verified through the following information:

  • The actor sending the notification
  • The type of incident, detailing also which personal data was affected
  • The actor by which the incident was raised
  • Evidence in the form of logs traces, explaining the incident history
  • Timestamp of generating the notification
  • Contact details of the actor responsible to answer notification response
  • Potentially the contact details for the responsible supervisory authority

In this section several different cases are illustrated in which an account is given in the event of a data breach. These examples also differ from each other with respect to the recipient of the account. The first example is where an account about unauthorised data access is provided to a data subject. Next, an example is provided in relation to a regulatory investigative process. Finally, we consider some examples of data handling within a service provision chain.