Just reading through the Art29 draft guidance [*], with at the back of my mind a query from a site "do we need to report every phishing attack?".

Example vi on page 29 says (without explanation) that the publication of a stolen password dump (implied, many users) is high risk. Best distinguishing factors I can come up with are either:
a) phishing attack affects a much smaller number of users, which might drop the risk down from high? (but still need to notify the ICO), or
b) phishing of a personal username/password *might* only affect information for which the individual, not the organisation, is the data controller (though the organisation claiming that would need to be very sure the individual didn't have access to any data for which it *was* the DC).

If neither of those seems plausible, it seems to me there's going to be a significant load on the ICO. Though p14 on "bundled notifications" might help to reduce that a bit for phishing campaigns.

I don't know what current practice is in organisations already covered by breach notification requirements. Do they report every time someone falls for a tempting email?

Thanks
Andrew

[*] http://ec.europa.eu/newsroom/document.cfm?doc_id=47741
--
Andrew Cormack
Chief Regulatory Adviser

T 01235 822302
Skype ancormack
Twitter @Janet_LegReg
Blog https://community.ja.net/blogs/regulatory-developments
orcid.org/0000-0002-8448-2881 


Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk



> -----Original Message-----
> From: This list is for those interested in Data Protection issues [mailto:data-
> [log in to unmask]] On Behalf Of Speirs, Seth
> Sent: 18 October 2017 12:22
> To: [log in to unmask]
> Subject: Data breach notification [OFFICIAL]
> 
> I don't read it in quite that way, as the "severity of consequences" paragraph
> on p21/22 (why don't they number the paragraphs!) talks about "trusted"
> partners and that this may mitigate the need to report.
> 
> 
> 
> That said I do think that the occasions on which we will be required to inform
> the ICO will increase. For example, we have relatively  regular breaches
> where summons are sent to the wrong address (outside our control as the
> addresses are supplied by the police). I wouldn't normally report these
> unless there were specific circumstances that warranted it.
> 
> 
> 
> Now we will probably have to report all these as criminal data is considered
> high risk.
> 
> 
> 
> I see it more as a shift in emphasis from justifying why you should report it to
> why you shouldn't.
> 
> 
> 
> 
> 
> 
> 
> From: This list is for those interested in Data Protection issues [mailto:data-
> [log in to unmask]] On Behalf Of Mansfield, Tom
> Sent: 17 October 2017 17:20
> To: [log in to unmask] <mailto:data-
> [log in to unmask]>
> Subject: Re: [data-protection] Data breach notification
> 
> 
> 
> Thanks for this,
> 
> 
> 
> I've had a look through and have some thoughts:
> 
> 
> 
> -        It seems even what would be considered a minor breach (i.e a letter
> sent to the wrong address) would now be a reportable breach. I'm
> interested in how this will impact upon the workload of the ICO or how they
> will reasonably be able to process this many notifications. If other public
> sector bodies are like my previous employers there would be at least 5-10
> breaches of this type a month.
> 
> -        The threshold for reporting seems incredibly low and whilst the ICO
> have said they don't anticipate a huge ramping of fines I am sure that they
> are not prepared for the large volume of requests that are likely to result
> from the reporting as recommended by the Article 29 WP.
> 
> -        Will the response by the ICO likely be as it is currently where they ask
> 8/9 detailed questions about each breach and responses by the organisation
> to that breach? Because if we are having to manage these investigations for
> every breach no other work will be done (unless you have an extensive
> team).
> 
> 
> 
> Do people have any thoughts on how the ICO might be responding?
> 
> 
> 
> Cheers,
> 
> 
> 
> 
> 
> Tom
> 
> ________________________________
> 
> All archives of messages are stored permanently and are available to the
> world wide web community at large at http://www.jiscmail.ac.uk/lists/data-
> protection.html
> 
> Selected commands (the command has been filled in below in the body of
> the email if you are receiving emails in HTML format):
> 
> *	Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE data-
> protection>
> *	Suspending emails from all JISCMail lists: send SET * NOMAIL to
> [log in to unmask] <mailto:[log in to unmask]&BODY=SET *
> NOMAIL>
> *	To receive emails from this list in text format: send SET data-
> protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
> *	To receive emails from this list in HTML format: send SET data-
> protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>
> 
> All user commands can be found at
> https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and
> are sent in the body of an otherwise blank email to [log in to unmask]
> <mailto:[log in to unmask]>
> 
> Any queries about sending or receiving messages please send to the list
> owner [log in to unmask] <mailto:data-protection-
> [log in to unmask]>
> 
> (Please send all commands to [log in to unmask]
> <mailto:[log in to unmask]>  not the list or the moderators, and all
> requests for technical help to [log in to unmask]
> <mailto:[log in to unmask]> , the general office helpline)
> 
> ________________________________

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^