W29 (endorsed by EDPB): Guidelines on personal data breach notification
What you need to know about mandatory reporting of breaches of security safeguards — Office of the Privacy Commissioner of Canada (2018)
CNIL: 2018 Statistical review of data breaches

From a US perspective, we perceive the current EU trend as over-notifying as the threshold between a incident and a breach has had more time to develop on this side of the Atlantic (in California breach notification is a requirement since 2002).

Privacy Fellow / Program Co-Director / Professor
Santa Clara Law School
Data Protection Law Blog: Golden Data
Twitter: @dltsays
Phone 408 554 2766


On Thu, Jul 11, 2019 at 6:21 AM Phil Bradshaw <[log in to unmask]> wrote:
Scenario

Sensitive personal data is exposed in circumstances where the controller is not at fault. Procedures were robust, industry standard, and followed. Incident was third party intervention outside of controllers knowledge or control. In terms of impact meets reportability criteria to go to ICO. Having discovered we are taking all possible, albeit limited, mitigations.

Pretty clear to me this is reportable - expected outcome -  no action required.

Others are arguing there is no "breach of security" - the trigger as defined in Art 4(12) - just an incident. To my mind security is breached at point of failure - fault and breach of the DP principles is an entirely separate question

What I cannot find is anything specific in ICO or A29WP or ISO27040 guidance I can quote at them. Any pointers ?

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jiscmail.ac.uk_lists_data-2Dprotection.html&d=DwIFaQ&c=iVyFbx9TtkoGWXYs40w9MA&r=Pgrq90vq1RKyD-pj5UUL7_Bf_GcOTz6TPpDvrYpaJLU&m=S94mKVL748zPMaK3wSaKowcckUPuNeDG0jiKPapYTWk&s=YDG9Wcc47yuIo51KmkgrhENFRm_xXGNd7BqELsUwFM4&e=
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at https://urldefense.proofpoint.com/v2/url?u=https-3A__www.jiscmail.ac.uk_help_subscribers_subscribercommands.html&d=DwIFaQ&c=iVyFbx9TtkoGWXYs40w9MA&r=Pgrq90vq1RKyD-pj5UUL7_Bf_GcOTz6TPpDvrYpaJLU&m=S94mKVL748zPMaK3wSaKowcckUPuNeDG0jiKPapYTWk&s=pprP5i-Oz6A5IOMd1IUUD1oPqxB3eVRoy9pPQsQS8fs&e=
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)