Noemi - Lawyer in your pocket (@lawyerinyourpocket): "Well yesterday Chris Best emailed a bunch of Substackers with what people deem is a personal “apology” If you are based in Europe and were affected by the Substack Data Breach you probably got this exact email. As a privacy professional working in IT companies for 10+ years I…"

Well yesterday Chris Best emailed a bunch of Substackers with what people deem is a personal “apology”

If you are based in Europe and were affected by the Substack Data Breach you probably got this exact email.

As a privacy professional working in IT companies for 10+ years I wanted to underline some things:

Chris Best did not email you or us personally… it seems like the security email was used. Sorry! Maybe next time!
This was not an apology it was a legally required data breach disclosure under article 34 GDPR
The email makes it seem like no biggie… but this breach notification is required to be sent out when the data breach “is likely to result in a high risk to the rights and freedoms” of the people affected.
The language makes it seem like it was a “upsie” we shared data but it was a breach! Someone not from Substack was able to get into Substack’s systems and access user data and metadata! What metadata!?!
So you should not feel flattered that Chris Best emailed you…
I for one am concerned.
Why was this breach only noticed 5 months later?…
Subscribe to Legally speaking where I regularly translate legal jargon into what’s really being said … what’s really happening and sometimes as importantly… what isn’t being said at all!

Feb 6

2:33 AM