Friday’s global IT outage, caused by the CrowdStrike software update, is likely to continue to have an impact on critical systems this week. NHS England says that health service IT systems are back online but has warned that there may still be disruption, particularly with GP services who may need time to rebook appointments.
The question now for Data Protection Officers, in the UK and EU, is whether the CrowdStrike outage is a personal data breach under the UK and EU GDPR (hereinafter referred to as GDPR, since the law is effectively the same). If it is, it may need to be reported to the data protection regulator (in the UK, the Information Commissioner’s Office(ICO)) and even to the individuals whose services have been affected e.g. patients, customers and service users.
Before making this decision, DPOs need to go back to first principles. The law on reporting data breaches is set out in Article 33 and 34 of the GDPR. Article 33 states:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Commissioner , unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification under this paragraph is not made within 72 hours, it shall be accompanied by reasons for the delay.”
The term “personal data breach” has a very specific meaning which is set out by Article 4:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
So to even start to consider whether an incident needs to be reported, a DPO needs to consider whether it is “a breach of security” and, if it is, whether this breach has led to the consequences set out in Article 4 above i.e. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
In deciding this question, many have jumped straight to focussing on the consequences of the incident; because it led to many organisations unable to access critical data which had a considerable impact on individuals; for example, GPs being unable to access patient medical records. They say it is a personal data breach due to lack of availability of data. They rely on the ICO guidance which states:
“A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.”
The European Data Protection Board (EDPB) guidance also classes lack of availability of personal data as a key factor. In footnote 18 on page 8, it states that:
“It is well established that “access” is fundamentally part of “availability”. See, for example, NIST SP80053rev4, which defines “availability” as: “Ensuring timely and reliable access to and use of information,” … CNSSI-4009 also refers to: “Timely, reliable access to data and information services for authorized users”. … ISO/IEC 27000:2016 also defines “availability” as “Property of being accessible and usable upon demand by an authorized entity”
For an alternative view on the meaning of “loss” in Article 4, it is worth reading Jon Baines personal blog.
Few have considered the first aspect of the definition of a personal data breach, set out in Article 4 i.e. Is the CrowdStrike incident a “breach of security”? The cause of the incident has been identified as an update CrowdStrike made to its cloud-based software product called Falcon. When CrowdStrike pushed the update, which interacts with other parts of computer systems and software like Microsoft’s Windows products, it caused a malfunction that disabled those systems and their widely used pieces of software the world over. In short the outage was caused by a planned software update which went wrong; ironically the software intended to protect against crashes and disruptions in vital computer systems ended up crashing them!
In a post on X, formerly Twitter, Geroge Kurtz, president and CEO of CrowdStrike said:
“ This is not a security incident or cyberattack.The issue has been identified, isolated and a fix has been deployed.”
Some would say, “he would say that wouldn’t he!” Our point is, when deciding whether to report an incident as a personal data breach, rather than first focussing on the consequences, DPOs should first consider whether it is a “breach of security” or, perhaps in this case, planned maintenance (albeit which went disastrously wrong). EDPB guidance says:
“To be clear, where personal data is available due to planned maintenance being carried out this is not a “breach of security” as defined in Article 4(12).”
Of course even if the CrowdStrike incident is not a reportable data breach, this does not mean that there will be no repercussions for organisations who suffered an outage. The GDPR includes stand-alone obligations on Data Controllers to ensure they have technical and organisational measures to keep personal data safe and secure.
We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop
