Failure to implement the appropriate security measures for data could result in data loss
The President of the Personal Data Protection Office fined a company selling, inter alia, burglar-proof doors, more than PLN 350 thousand for failure to comply with data protection rules. The partners of the civil partnership entrusted by the company with data processing were fined PLN 9.8 thousand.
The company notified that it had lost access to customer and employee data as a result of a hacking attack. The database contained data of, inter alia, former and current employees: identifications numbers (PESEL), ID cards, first and last names, parents' names, dates of birth, bank account numbers, home or residence addresses, email and telephone number. According to the company, its employee disabled its anti-virus programme and this enabled the ransomware attack. According to the controller, however, the incident was short-lived and the company managed to regain access to the data. It also considered that the purpose of the attack was not to obtain data, but to blackmail. Consequently it considered that there was no high risk of breaching the rights or freedoms of individuals. The company (data controller) communicated the fact to the data subjects. However, it did so in a flawed manner, and did not respond to the comments of the Polish SA.
The President of the Polish SA comprehensively considered the evidence gathered in the case. He also asked the company (data controller) what solutions it had implemented after the attack. As a result, the President of the Personal Data Protection Office found that the data controller did not implement appropriate technical and organisational measures that would mitigate the risk to the data. And this was because, contrary to the indications of the GDPR it had not carried out an adequate risk analysis. In these circumstances, the risk should have been combined with the possibility of malware. One of the key methods to prevent such attacks is to use up-to-date software for all elements of the IT infrastructure. This was not done by the company, as it failed to identify such a threat.
Regardless of the controller's failure to implement appropriate technical and organisational security measures on the basis of its risk analysis, the fine is also for: failure to verify that the processor provides sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR protects the rights of data subjects (point I(b) of the operative part of the decision); incorrect communication to data subjects (point I(c) of the operative part of the decision).
The controller also failed to comply with the principle of accountability under the GDPR (Article 5(2) of Regulation 2016/679) both before and after the incident. At no stage of the processing of personal data did he precisely identify all identifiable risks or threats, which made the implemented security measures ineffective. The measures implemented after the attack were also inadequate: the controller was not able to demonstrate that they were appropriate to the risks because he had not examined the risks.
The controller indicated that a person (human factor) was at fault, but, by his own admission, he had only conducted two data protection training sessions. And only one before the incident. This is not enough if the controller believes that the ‘human factor’ poses a risk to data in his organisation.
The President of the Personal Data Protection Office also found misconduct on the part of the controller in notifying its former as well as current employees of a breach in the protection of their personal data.
The President of the Personal Data Protection Office also noted the liability of the partners of the civil partnership entrusted by the controller with data processing. He pointed out that they failed to assist the controller in complying with its obligation to implement adequate technical and organisational measures ensuring the security of personal data processing. Such assistance should have consisted of informing him of the lack of adequate security measures for the server used by him in the processing of personal data, irrespective of whether or not this lack resulted in its use by the perpetrators of the ransomware attack and, as in the concerned case, the occurrence of a personal data breach. The Processor neglected over the years to inform the Controller about the vulnerabilities present in the server's software (while one of them was successfully exploited by the perpetrators of the criminal action) and about the need to upgrade the operating system to the latest possible version or to use other, newer logical solutions.