Circumstances of the breach (CB)
Circumstances of the breach (CB)
The elements that are considered under CB are the loss of security (confidentiality, integrity, availability) and malicious intent and are complementary to DPC and EI, as follows:
Loss of confidentiality: Loss of confidentiality occurs when the information is accessed by parties who are not authorized or don't have a legitimate purpose to access it. The extent of loss of confidentiality varies by the scope of disclosure, i.e. the potential number and type of parties that may have unlawfully access to the information.
Loss of integrity: Loss of integrity occurs when the original information is altered and substitution of data can be prejudicial for the individual. The most severe situation occurs when there are serious possibilities that the altered data have been used in a way that could harm the individual.
Loss of availability: Loss of availability occurs when the original data cannot be accessed when there is a need for it. It can be either temporal (data are recoverable but it will take a period of time and this can be detrimental for the individual), or permanent (data cannot be recovered).
Malicious intent: This element examines whether the breach was due to an error or mistake, either human or technical, or it was caused by an intentional action of malicious intent. Non malicious breaches include cases of accidental loss, inadequate disposal, human error and software bug or misconfiguration. Malicious breaches include cases of theft and hacking aiming to harm the individuals (e.g. by exposing their personal data to unauthorised third parties). In other cases malicious intent might include transfer of personal data to third parties for profit (e.g. selling of lists of personal data). In some cases malicious intent could also be inferred from actions aiming to harm the data controller (e.g. through stealing and exposing the personal data to unauthorized parties). Malicious intent is a factor that increases the likelihood that the data is used in harmful way, since this was the initial purpose of the breach.
With regard to CB scoring, contrary to DPC and EI where the maximum score reached is chosen, the points obtained for each CB element are added to obtain the final score, as different circumstances can occur in the same breach. Assessment Table 3 provides different scores per CB element and for different types of circumstances.