Data security breaches under the upcoming revised Federal Act on Data Protection

What is considered a «data security breach» under the revised FADP?

The revised Federal Act on Data Protection (FADP), which is expected to enter into force towards the end of 2022/ early 2023, describes a data security breach as a «security breach which leads to an unintentional or unlawful loss, deletion, destruction, or modification of personal data or to personal data being disclosed or made accessible to unauthorized persons».

Causes for data security breaches may include, for example, criminal hacking, human error, social engineering, malware, unauthorized use within the company (privilege abuse or data mishandling) or loss or theft of devices (e.g. laptops), storage devices or paperwork.

What are the formal notification requirements under the revised FADP?

In the event of a data security breach, the revised FADP imposes a formal notification duty to companies acting as data controllers, similar as under the EU General Data Protection Regulation (GDPR). Differing from the GDPR which sets a timeline of 72 hours after becoming aware of a breach, the revised FADP sets no specific time frame to notify the Federal Data Protection and Information Commissioner (FDPIC) but provides that the notification shall occur as soon as possible, if the breach is likely to result in a high risk to the personality of the affected persons (e.g. the company’s customers, employees, etc.). In addition, the revised FADP requires data controllers to notify the affected persons if it necessary for their protection or if the FDPIC so requests.

Service providers, e.g. cloud providers, who are processing data on behalf of the impacted company as data processors are obliged to notify the impacted company (data controller) as soon as possible of any data security breach.

Other regulatory notification or reporting requirements may apply in addition to those under the FADP, in particular with respect to companies in regulated sectors such as in the financial industry, and/or listed companies. In certain circumstances it may also be appropriate to notify the National Cyber Security Center (NCSC) or to file a criminal complaint with the competent law enforcement authorities (see our recent Insight article on Cyberlaw  for more details).

What preventive measures should companies take under the revised FADP?

To avoid data security breaches, data controllers and processors must ensure the security of personal data through technical and operational measures (TOMs). The TOMs must be appropriate with regards to the state of the art, the type and the extent of data processing and appropriately address the risks of the relevant data processing activity. The minimum requirements will be set forth in the upcoming ordinance to the FADP, the final version of which has still not yet been published (however, the basic elements are not expected to be altered).

In essence, the TOMs should be designed to address the specific risks inherent to a processing activity and personal data involved. The following will need to be considered:

1. the purpose, nature, scope and circumstances of the specific data processing activity
2. the probability of occurrence of a breach of data security and the potential consequences for the concerned persons
3. the state of the art
4. the implementation costs

Based on this assessment, the measures may need to apply special controls (e.g. regarding access, transport, recovery, etc.). Data controllers will need to review the TOMs at appropriate intervals throughout the processing lifecycle. Under the revised FADP, failure to comply with the minimum data security requirements may under certain conditions be subject to criminal fines of up to CHF 250’000 targeted at the responsible individuals acting on behalf of the company.