This post is also available in: Deutsch (German)
Translated with www.DeepL.com/Translator
No security or communication professional understands the motivation for the 72 hour data breach notification rule (Art. 33). The problem here is that, in practice, it is impossible to make a statement within a period of three days about the impact of the vulnerability of a system that has been exploited. This can be compared to an aircraft accident: We must inform them as quickly as possible that something has happened. At this stage, however, it is completely unrealistic to describe the resulting damage and its effects comprehensively. Even less is it possible to identify the causes. No serious statement can be made without an in-depth investigation. The obligation to inform those affected thus also contributes at most to maximum uncertainty.
It is absolutely the same with digital events. We have seen that transparency, as envisaged by the legislator, cannot be achieved. The associated uncertainty also means that it is impossible to predict with certainty where damage will occur or what the consequences will be.
In other words: First and foremost, it is a matter of competently recording the event, initiating the right communication and taking the necessary measures. In active cybercrime attacks, this can consist of NOT communicating in order to leave the attacker uncertain as to whether the attack has been detected (e.g. with honeypots). The last action the affected organization should take in this case is to communicate immediately with the data protection authority. Much more important would be communication via a national security hotline to coordinate defensive measures.
Of course, this detached and immature measure fits into the picture: No further thought has been given to information security and how to deal competently with real threats (cf. FC 6.).
This provision shows once again that the authors were primarily concerned with putting pressure on “large” providers to report these security events at an early stage. This is a commendable motive. At the same time, however, 99% of all other companies are punished because the unclear definition of what actually has to be reported leads to maximum uncertainty. It would have been much more honest if a regulation had been introduced for the administration of large amounts of data and this authorisation had been linked to a wide variety of framework conditions, such as the obligation to report.
NB: A practical note on the 72-hour deadline. The legislators were obviously not really comfortable with their skin, which is why they built in a loophole, because the text of the Ordinance Art. 33 para. 1 GDPR reads as follows:
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
In practice, therefore, the 72-hour deadline will never be met.
Addendum: An interesting aspect was brought to my attention recently. Nobody reports security breaches if they are punished! The security community has worked for years to ensure that violations and attacks can be reported neutrally without the person reporting them having to accept any disadvantages. With the DSGVO exactly the opposite is achieved, nobody will report security incidents anymore, because the probability that they will be discovered by third parties is minimal. The missing reports, however, are harmful to all those affected.
Translated with www.DeepL.com/Translator
