Personal Data Breach

A personal data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This definition encompasses three types of breaches: confidentiality breaches (unauthorized access or disclosure), integrity breaches (unauthorized alteration), and availability breaches (accidental or unauthorized destruction or loss). Breaches can result from cyberattacks, human error, system failures, or physical theft. Under the GDPR, data controllers must notify their supervisory authority of a breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in risk to individuals' rights and freedoms. If the breach poses a high risk, the controller must also notify affected individuals without undue delay. The notification must describe the nature of the breach, likely consequences, and measures taken to address it. Organizations must maintain documentation of all breaches (even those not requiring notification) to demonstrate accountability. The CCPA and other US state laws have their own breach notification requirements, often triggered by unauthorized access to specific types of personal information. Failing to properly report and handle breaches can result in significant penalties and reputational damage beyond the breach itself.