In its Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, the EDPB classifies a ransomware attack as a breach primarily of?
Correct Answer: A
TheEDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notificationexplicitly classifyransomware incidentsasavailability breacheswhen data becomes encrypted and unavailable to the controller, even if confidentiality is not proven to be affected.
The Guidelines state:
"In a ransomware attack where data is encrypted and the controller no longer has access to the personal data, this constitutes a breach of the availability of personal data. Where the attacker also exfiltrates the data, this would additionally constitute a confidentiality breach." Thus, theprimary classificationof ransomware is anavailability breach. Confidentiality may also be impacted depending on the attack specifics, but the baseline category isavailability.
#Reference:
* EDPB Guidelines 01/2021 on Personal Data Breach Notification Examples, Ransomware scenarios.
* CIPP/E Textbook (3rd ed.), Chapter 10 "Security of Personal Data" (types of data breaches:
confidentiality, integrity, availability)