GDPR: Breach Notification

I think there are areas where LastPass has done well and areas where they fall short.

Firstly, LastPass's initial communication on August 25 2022 was sent two weeks after detecting a breach, which is reasonably timely considering they needed time to investigate the incident [1]. EDPB guidelines mandate that controller should inform individuals timeously upon reasonable certainty of a breach [2]. It is important to note there was no evidence of any personal data breach at that time and they actually did not have any obligation to notify their customers.

LastPass sent a total of four communications over four months with increasing amounts of detail as the investigation progressed [1]. The practice of sending notifications in phases is recommended in the EDPB guidelines to balance the need for timely as well as detailed notifications [3].

However, LastPass fell short when it came to explaining the possible high risk to individual's privacy from the breach of unencrypted URLs. LastPass is a password manager, a URL signifies that the customer has an account with a specific website. Having an account with Morgan Stanley exposes an individual as a HNWI. Having an account on Autism Forum or Grindr exposes health and sexual orientation data respectively, which are special categories of data under GDPR. Instead, LastPass focused on their state-of-the-art password encryption which is technically a non-issue and didn't need to be disclosed since the confidentiality of the key was not compromised [4].

As for USS, I believe their response could have benefited from including the date of the breach to demonstrate timely response. It is difficult to compare the measures taken by LastPass and USS. LastPass provides a free service that anyone in the world can sign up for. Membership to USS is more exclusive and USS prima facie charges its members investment management fees. Mandating that controllers take action at their own expense might stifle companies that offer free services. Perhaps, we can take reference from the proposed Digital Services Act and vary the requirements based on the size and resources available to an organization [5].

I believe more should be done preventively instead of reactively. Once information has been leaked, it remains out there indefinitely. We cannot expect individuals to be in a heightened state indefinitely or for companies to offer lifelong credit monitoring. We should prevent breaches by stepping up cybersecurity. In his article, Wolters mentioned that a IT security firm protecting a hypothetical energy company has no obligations under the GDPR as it is not processing any personal data and the GDPR does not harmonize the expectation on services delivered by the IT security firm [6].

In this area, Singapore has been one of the first countries to mandate licensing for firms delivering cybersecurity monitoring and assessment services [7]. Licensing ensures a minimum standard of service and should greatly improve preventive measures. Companies can no longer engage a fly-by-night security firm to do a 10 minute security assessment just to rubber-stamp that compliance requirement.

In a data breach, the negative externalities are experienced mainly by individuals whose data are being compromised and not the companies breached. Thus, there is a need for effective legislation to ensure companies internalize that cost and make genuine efforts to secure personal data.

[1] Karim Toubba, 'Notice of Recent Security Incident' (LastPass, December 22, 2022) accessed 29 October 2023

[2] EDPB, Guidelines 9/2022 on Personal Data Breach Notification Under GDPR accessed 29 October 2023, para 83

[3] ibid, para 57

[4] ibid, para 75

[5] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) [2022] OJ L 227/1, para 41

[6] Wolters PTJ, 'The Security of Personal Data Under the GDPR: a Harmonized Duty or a Shared Responsibility?' (2017) 7 International Data Privacy Law 165, pp 171

[7] Cybersecurity Act 2018, Part 5