A data breach involves unauthorized or unintended access to personal data. But it also involves the unwanted destruction, loss, alteration and disclosure of personal data. This, too, can cause harm to the individuals involved.
The term "data breach" does not appear in the law. Instead, the General Data Protection Regulation (GDPR) talks about a "personal data breach.
This occurs in the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed (Article 4, paragraph 12, AVG).
Three categories of data breach can be distinguished:
Breach of Confidentiality
When there is an unauthorized or inadvertent disclosure of, or access to, personal data.
Breach of integrity
When there is an unauthorized or inadvertent alteration of personal data.
Breach of availability
When there is an unauthorized or accidental loss of access to, or destruction of, personal data.
A data breach can fall into more than one of these three categories, depending on the circumstances.
Examples of data breaches include:
The loss of a USB flash drive containing unencrypted personal data;
a cyber attack in which personal data was captured;
A ransomware infection in which personal data has been rendered inaccessible.
