1. Introduction
Laws around the world impose strict data security obligations on organisations that process personal data, and in some cases require them to report data breaches to data protection authorities and individuals affected. In addition to significant sanctions for failing to take appropriate technical and organisational measures (TOMs), and potentially for failing to report a data breach, organisations may suffer, among other things, loss of stakeholder trust, reputational damage and disruption of business activities as a result of a data breach, leading to economic losses. Furthermore, there are significant costs associated with managing a data breach and remediating the damage caused.
Investing in data security to prevent data breaches and being prepared to respond in the event of a data breach is therefore worthwhile not only to comply with legal obligations, but also to avoid negative consequences for the organisation and its stakeholders.
This article elaborates on what constitutes a personal data breach and what a data breach prevention and response strategy might look like. It focuses on data breaches involving personal data and takes the requirements under the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR) as a starting point, but without limiting itself to these laws. In particular, it also considers the incident notification requirements under the Swiss Information Security Act (ISA) and the EU Directive on measures for a high common level of cybersecurity across the Union (NIS2).
2. What is a personal data breach and its potential consequences?
A personal data breach (data breach) occurs when personal data held by an organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. The FADP defines the term as “a breach of security that leads to the accidental or unlawful loss, deletion, destruction or modification or unauthorised disclosure or access to personal data”. Privacy laws in other jurisdictions contain similar, though not identical definitions. A cyber incident (incident), on the other hand, is defined by the ISA as “an event within the use of IT infrastructure that results in the confidentiality, availability or integrity of information or the traceability of its processing being compromised”.
The EDPB’s Guidelines 9/2022 on Data Breach Notification under the GDPR divide data breaches into three security principles:
- Confidentiality breach – unauthorised or accidental disclosure of, or access to, personal data.
- Integrity breach – unauthorised or accidental alteration of personal data.
- Availability breach – unauthorised or accidental loss of access to, or destruction of, personal data.
Examples of data breaches include the loss or theft of a data carrier containing unencrypted personal data, the penetration of an organisation’s computer systems for the purpose of copying, exfiltrating, and misusing personal data, a ransomware attack where the attacker encrypts data and demands a ransom in exchange for the decryption key, the unauthorised downloading of personal data by a terminated employee for private use or the inadvertent disclosure of personal data to unauthorised persons, e.g., by sending it to an incorrect e-mail address.
A data breach may have various negative effects on individuals and result in physical, material and immaterial damage. It may, for example, cause the affected individual to lose control over their personal data, to be restricted in the exercise of their personal rights or to suffer financial loss, personal disadvantage, emotional distress, embarrassment, humiliation or damage to their reputation. Possible consequences may also include identity theft or fraud, loss of employment or business opportunities, unwanted marketing or spam or other significant economic or social disadvantages.
Organisations can also suffer harm as a result of a data breach. Responding to a data breach and potential subsequent complaints and implementing remedial actions may have financial, legal and resource implications. Data breaches can further result in reputational damage and loss of stakeholder trust.
3. Data breach notification requirements
Many countries around the world have introduced data breach notification regulations and data security obligations. Further to notification requirements under data protection laws, there are other laws imposing notification obligations for incidents, irrespective of whether personal data is involved or not.
In Switzerland, the revised ISA introduced a reporting obligation for operators of critical infrastructures, such as energy & drink water supply, waste disposal, finance, healthcare, information & communication, food & drink, transport, traffic, safety and security. As of 1st April 2025, they must report to the National Cyber Security Centre (NCSC) any cyberattacks that endanger the functionality of the affected critical infrastructure, have led to manipulation or leakage of information, have remained undetected for an extended period of time or are associated with blackmail, threat or coercion. Reports must be submitted within 24 hours of discovery of the cyberattack and must contain information on the affected organisation, the type and execution of the cyberattack, its effects, the measures taken and, if known, the planned further course of action.
In the EU, NIS2 applies to companies active in sectors including energy, transport, banking, financial markets, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers and research. Affected entities must notify their computer security incident response team (CSIRT) or, where applicable, the competent authority of any significant incident by providing an early warning within 24 hours of becoming aware of the incident, an incident notification updating the information provided with the early warning and giving an initial assessment of the incident within 72 hours, and a final report not later than one month after the submission of the incident notification, including a detailed description of the incident, its severity and impact, the type of threat or root cause that is likely to have triggered the incident, applied and ongoing mitigation measures and, where applicable, the cross-border impact of the incident. An incident is considered significant if it has caused, or can cause, severe operational disruption of the services or financial loss for the entity concerned or has affected, or can affect, other natural or legal persons by causing considerable material or non-material damage.
4. Data breach prevention and response strategy
Although security requirements and the conditions and modalities of notification obligations may vary from country to country, any organisation that processes personal data should define and implement a data security and breach management strategy to ensure adequate data security and risk mitigation in the event of an incident and be prepared to deal with any data breaches.
The data breach prevention and response strategy does not need to be stand-alone but can and should be aligned with other internal data management and security strategies, e.g., information security, where possible. It should cover three key factors: prevention, response and improvement.
4.1 Prevention – Implement appropriate TOMs
Even with the best possible security, data breaches cannot be completely avoided. However, data breaches are often the result of a vulnerable and outdated security regime or system weaknesses. Prevention through the adoption of appropriate security measures is therefore key to preventing vulnerabilities in systems or insufficient security that can potentially lead to a data breach.
Data and risk mapping: The first step to implement appropriate TOMs is to determine what types of data and personal data the organisation processes, who the data subjects are and their locations, where the data is stored and who should have access to it. This requires the mapping of all data systems, products and services that process personal data and their classification. Organisations should then assess the risk level to their organisation and to individuals in case of a data breach, identify the possible types of attacks and, based on that understanding and the level of risk, take the appropriate TOMs to mitigate the consequences in case of a data breach.
Implementation of TOMs: Based on the risk level, such TOMs may include state-of-the-art encryption of the data and separate back-ups to mitigate the consequences of a ransomware attack or the loss of a device containing personal data. Further measures such as key management, regular system updates, strong authentication methods, firewalls, etc. may help mitigate the consequences of data exfiltration. Regular awareness campaigns and training to staff, instructions on how to use company devices and information as well as technical measures and controls may help to prevent human errors.
Applicable laws and competent authorities: Organisations should assess which data protection and other laws apply to them in case of an incident and/or data breach. This should include assessing whether an entity is covered by the ISA and/or NIS2. Based on this knowledge, organisations should determine which authorities to notify in case of an incident and/or data breach. This insight will help save valuable time in the event of an incident.
External resources and insurance coverage: Besides the implementation of robust TOMs, organisations should evaluate in advance what type of external expertise is required in the case of a data breach and ensure that such expertise is available on short notice, which may require the negotiation of frame contracts in advance. Additionally, organisations may consider holding an insurance policy for data breaches.
4.2 Response – Implement a data breach response plan
4.2.1. Why a data breach response plan?
Due to the usually very short reporting timelines, it is critical that organisations handling personal data put in place a documented data breach response plan to help them mitigate the impact on the organisation and affected individuals and the costs resulting from the data breach, meet their data security obligations, protect important business assets, including personal data of their employees and clients and the company’s reputation, deal with negative media or stakeholder attention and instil public confidence and trust in the organisation.
The data breach response plan should be aligned with other plans as appropriate, such as existing security incident response, disaster recovery, business continuity, or contingency plans, to ensure effective management with clear responsibilities, avoid duplication, and leverage synergies.
4.2.2. Content of a data breach response plan
A data breach response plan should establish the rules and processes on how to handle a data breach in compliance with internal standards and legal and regulatory requirements. It should outline what a data breach is, possibly by providing examples tailored to the specific organisation, allocate roles and responsibilities and describe the process for handling a data breach, from detection to notification, documentation and risk mitigation.
4.2.3. Establishment of an incident response team
While in small organisations, the managing director or owner is often the person who deals with a data breach, usually with external assistance, establishing an incident response team has proven effective in mid-sized and larger organisations. The purpose of such a team is to ensure that in the event of a data breach, the relevant functions are immediately engaged, and data breaches can be promptly addressed, the risks assessed, and any required notifications made in a timely manner.
The composition of the team will depend on the organisation and the nature of the business, but will typically require different skill sets, which can be ensured by involving internal functions and external legal, data forensics, and media management experts. Organisations should assess in advance what type of external expertise is needed and ensure that this expertise is available on short notice. The organisation should maintain and regularly update a list of team members, including their roles, responsibilities, contact details and delegates. Team members should receive regular training and participate in mock exercises. The response team should consist of a core team that includes, at a minimum, the data protection officer and the information security officer, and should be extended to other functions such as human resources, research and development or communications, as well as outside legal counsel and forensic analysts, depending on the severity and nature of the incident.
Furthermore, corporate management bodies should oversee, approve and be trained on the cybersecurity measures taken by the organisation.
4.2.4. Process for responding to a data breach
The process for responding to a data breach typically includes different steps:
Detection and reporting: Each employee should know how to recognise a potential data breach and how to report it to the incident response team, who will immediately perform a preliminary evaluation and determine whether the incident qualifies as a data breach.
Containment: Once the source of the data breach has been identified, the data breach should be contained immediately to prevent further exposure of personal data, for example by remediating identified vulnerabilities in systems, recovering records, shutting down the compromised system, restricting access to data, recalling emails containing personal data sent to the wrong recipients, or deleting them from the accounts of the unintended recipients.
Investigation: The incident response team should investigate and document the facts and circumstances of the data breach, including the causes and the nature of the data breach (breach of confidentiality, availability, or integrity), the nature, scope, sensitivity and origin of the personal data involved, the type, number, and location of data subjects, applicable data protection laws and notification requirements.
Risk evaluation: Based on the outcome of the investigation and considering the type of personal data compromised, the extent of the data breach and the type and number of individuals affected, the incident response team must assess the level of risk for data subjects and the organisation. To assess the risk level, they must determine the impact the data breach could have on the rights and freedoms of individuals and the likelihood that this impact will actually occur. The greater the impact and the likelihood, the higher the risk. Essential elements for determining the impact on individuals are the ease of their identification and the severity, i.e. the harm that can be caused by the data breach. Key elements to determine the likelihood of the impact actually occurring are the potential vulnerabilities and the ability to exploit those vulnerabilities or the intent of the individuals accessing or possessing the data (was the data exfiltrated by a hacker with malicious intent or sent to the wrong recipient within the organisation by mistake?).
Escalation: The data breach response plan should define the internal escalation process, depending on the severity and extent of the breach, the level of risk identified, and the notification requirements.
Notification: Based on the facts and the risk evaluation, the incident response team determines whether the data breach must be notified to data protection authorities and affected individuals, and if so, when, where, and how. The incident response team should also address notification of other authorities, such as the NCSC for notifications under the ISA or the NIS2 competent authority for notifications under NIS2. The data breach response plan should determine which function is responsible for notifying the authorities and individuals. In general, the notification of a data breach is assigned to the data protection officer. Notification of an incident subject to other laws may be assigned to other functions. It is recommended to coordinate notifications and to work through and document scenarios requiring notification.
Documentation: Any data breach, whether notified to data protection authorities and/or individuals or not, should be documented, including the facts and circumstances of the breach, its effects, the corrective actions taken and planned to prevent future similar data breaches, the risk evaluation and the justification for the decisions made with respect to the notification to data protection authorities and individuals.
4.2.5. Considerations in implementing a data breach response plan globally
Given the large number of countries with data breach notification requirements, globally operating companies are faced with the challenge of finding solutions that are as comprehensive and uniform as possible while at the same time considering the specifics of the individual countries.
When implementing a data breach response plan globally, companies must consider local data privacy and security laws, as well as notification requirements and modalities, languages, and cross-border data transfer restrictions, and align the data breach response plan accordingly. Companies should also define the internal reporting channel for discovered data breaches. Depending on their organisational set-up, they could establish one global reporting channel or separate regional or local reporting channels. Organisations must further determine where data breaches should be documented (in a centralised system or locally), and whether a global incident response team should be deployed around the world, or regional/local response teams be established.
4.3 Improvement – Address security gaps to prevent future similar data breaches – regularly re-evaluate the data breach response plan to increase effectiveness
The third phase of the data breach response strategy consists of improvements in two respects: addressing identified vulnerabilities to prevent future similar data breaches and increasing the effectiveness of the data breach response plan.
Address identified security gaps to prevent future similar data breaches. Once the notification and documentation process is complete, the incident response team should determine and implement appropriate measures to prevent future similar data breaches. Depending on the type of data breach and the root cause, such measures may include, for example, conducting regular security audits, reviewing and updating policies and procedures, reviewing and amending contracts with third parties to ensure appropriate data breach handling, restricting the downloading of personal data to mobile devices without adequate security protection and regular training for the business units concerned.
Periodically re-evaluate the data breach response plan to increase its effectiveness, considering changes in applicable data protection laws, best practices and internal business requirements.
5. Conclusion
Data security is one of the essential obligations of any organisation that processes personal data. A breach of the confidentiality, integrity or availability of data can have negative consequences not only for the individuals concerned, but also for the responsible organisation. A data breach can result in notification obligations, significant costs to contain the data breach and repair the damage, as well as loss of stakeholder trust, reputational damage, and business disruption. Investing in data security to prevent data breaches and being prepared to respond in the event of a data breach is therefore essential for any organisation to meet its legal obligations and avoid negative consequences for itself and the individuals affected.