Read even more news at DataProtection.News

Category Archives for "Security"

10 GDPR fines and what to learn from them

Recently I was looking at fines for GDPR breaches to get better understanding on data protection landscape at the moment. I selected 10 from just December 2020 and January 2021 which were biggest or most interesting. There are more loud fines being issued already in February which I did not include in the list. But I am sharing my observations and takeaways in hopes you will find them interesting and useful, too.

1) Germany: €10.4M fine against notebooksbilliger.de for employee video monitoring without a legal basis

Fine: €10.4 million

The Lower Saxony data protection authority issued a €10.4 million fine against notebooksbilliger.de AG for video monitoring its employees for over two years without any legal basis. DPA noted that the cameras recorded workplaces, sales rooms, warehouses, and common areas, among other places, and that notebooksbilliger.de claimed that the aim of the video camera installation was to prevent and investigate criminal offences and to track the flow of goods in the warehouses.

The DPA stated that, in order to prevent theft, a company must first examine milder means, such as random bag checks when employees are leaving the business premises. In addition, video surveillance to uncover criminal offences is also only lawful if there is justified suspicion against specific persons, and that, if this is the case, it may be permissible to monitor them with cameras for a limited period of time. At notebooksbilliger.de video surveillance was neither limited to a specific period of time nor to specific employees, and that, in many cases, the recordings were saved for 60 days, which is significantly longer than necessary. In addition, the DPA outlined that customers of notebooksbilliger.de were also affected by the video surveillance, as some cameras were aimed at seating in the sales area, and that the video surveillance by notebooksbilliger.de was not proportionate in these cases.

Takeaway

  • Video monitoring is particularly privacy invading processing and requires thorough evaluation of purpose, necessity, proportionality, location of cameras, records retention etc.

Press release: https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/lfd-niedersachsen-verhangt-bussgeld-uber-10-4-millionen-euro-gegen-notebooksbilliger-de-196019.html

2) Spain: AEPD fines CaixaBank €6M for consent and information failures

Fine: €6 million

A customer and non-profit organization alleged that the bank’s framework agreement prevented customers from negotiating the terms of their contracts and forced them to consent to the processing of their personal data. The AEPD agreed with the complainants stating that the evidence the bank brought in their defence was imprecise, vague, not uniform and did not provide sufficient justification for their legal basis for data processing and transferring data to third parties (including other companies within the CaixaBank Group).

Takeaways

  • Consent must not be forced upon customer; invalid consent means illegal processing of data.
  • Processing based on legitimate interests must be justified.
  • Information on processing activities and data retention must be precise and provided in uniform manner.
  • Also data transfers within group must comply with GDPR requirements.

The fine represents the largest financial penalty issued under the GDPR by the AEPD to date

AEPD decision: https://www.aepd.es/es/documento/ps-00477-2019.pdf

3) Spain: AEPD fines BBVA €5M for GDPR information and consent failures

Fine: €5 million

The Spanish data protection authority (AEPD) fined Banco Bilbao Vizcaya Argentaria, SA (BBVA) €2 million for a violation of transparency principle – it provided insufficient information about the category of personal data processed, especially in relation to customer data obtained through products, services, and channels, – and €3 million for failure to obtain consent before sending promotional SMS messages to a customer, and did not have in place a specific mechanism for consent to be obtained.

Takeaways

  • Transparency about processing activities is one of pillars of GDPR compliance, so is obtaining proper consent where necessary.a

AEPD decision: https://www.aepd.es/es/documento/ps-00070-2019.pdf

4) Sweden: Companies fined for no risk analysis regarding the access to data

Fines:

  • Capio St. Göran: €2,9 million (SEK 30,000,000)
  • Aleris Sjukvård AB: €1,5 million (SEK 15,000,000)
  • Aleris Närsjukvård AB; €1,2 million (SEK 12,000,000)

The Swedish DPA fined medical companies Capio St. Göran, Aleris Sjukvård AB and Aleris Närsjukvård AB for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.

Takeaway

  • Access management is must have in any IT system holding personal data; access to data has to be granted based on what is required for work and principle of minimum access.

Decision: https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-capio-st-gorans-sjukhus-di-2019-3846.pdf

5) Poland: Virgin Mobile Polska fined for not having regular testing of technical measures

Fine: €460,000 (PLN 1.9 million)

Polish DPA stated that the company infringed the principles of data confidentiality and accountability by not carrying out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. Activities in this regard were only undertaken when there were suspicions of vulnerability or in connection with organisational changes. Moreover, no tests were carried out to verify safeguards related to the transfer of data between applications related to the servicing of buyers of prepaid services. The vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.

Takeaways

  • Data security is permanent, continuous process, not a one-off activity.
  • All data transfers between applications must be secured and properly tested.

More information: https://edpb.europa.eu/news/national-news/2021/polish-dpa-virgin-mobile-polska-incidental-safeguards-review-not-regular_en

6) Ireland: DPC fines Twitter €450,000 for breach notification and documentation failures

Fine: €450,000

Twitter was fined for not timely informing DPA about data breach that resulted from a bug in their software that “protected” tweets public without user’s knowledge. A third-party security company discovered the bug and informed Twitter.

The DPA found that twitter did not comply with its obligations to notify a personal data breach within 72 hours of becoming aware of it. It also found that Twitter had breached its obligations to document personal data breaches.

Takeaways

  • The data controller is considered to be aware of data breach at the moment it or its data processors determine that incident might have GDPR implications.
  • Data controller must ensure that its data processors inform about potential data breaches in timely manner.
  • All data breaches (including non-reportable ones) must be properly documented.

Decision: https://edpb.europa.eu/sites/edpb/files/decisions/final_decision_-_in-19-1-1_9.12.2020.pdf

7) Poland: UODO fines ID Finance Poland PLN 1M for inadequate technical and organisational security measures

Fine: €250,000 (PLN 1 million)

ID Finance (owner of a lending platform MoneyMan.pl) failed to implement adequate technical and organisational measures to ensure the security of data. The company had not responded to indications about security gaps and that an unauthorised person had subsequently copied and deleted the data in the company’s server also demanding a ransom. The breach had taken place following a failed attempt to restore appropriate security configuration and that the controller, despite being notified about the vulnerability from cybersecurity specialists, failed to exercise due diligence with respect to its security systems and its processor.

This breach would not have occurred if the controller had immediately reacted appropriately to the information that the data on his server was unsecured.

In calculating the fine, Polish DPA took into consideration, among others, the scale of the breach and the controller’s delay in taking appropriate remedial action.

Takeaways

  • The controller must be able to detect, address, and notify data breach – this is a critical element of technical and organizational measures.
  • Any indications or information about possible technical issues must be taken seriously, investigated and addressed in timely manner.
  • Delay in response of service provider is not an excuse for data controller.
  • The way controller reacts to incident is taken into account by DPA when deciding on fine.

More info: https://edpb.europa.eu/news/national-news/2021/polish-dpa-id-finance-poland-checking-potential-system-vulnerabilities_en

8) Czech Republic: UOOU fines 11 organisations CZK 3.1M for unsolicited postal marketing

Fine: €119,000 (CZK 3.1 million)

Czech DPA fined 11 organisations for sending unsolicited postal marketing messages to citizens’ mailboxes. DPA stated that the possibility of sending postal messages free of charge until the end of the Coronavirus pandemic emergency period was abused for the purpose of sending marketing messages. DPA highlighted that the organisations processed data subjects’ personal addresses without a valid legal basis. Moreover, the organisations did not provide data subjects information on the commercial use of their data at the time of the first communication.

Takeaways

  • Availability to process data does not mean legality of processing – all requirements must be met, including: legitimate purpose, legal basis, proper information to data subjects etc.

Press release: https://www.uoou.cz/vismo/dokumenty2.asp?id_org=200144&id=47199

9) Romania: ANSPDCP fines Banca Transilvania RON 487,380 for inadequate security measures

Fine: €100,000 (RON 487,380)

Romanian DPA fine Banca Transilvania SA for inadequate security measures that led to the breach of confidentiality and failure to secure data. Investigating a complaint DPA found that a listed document containing a client’s statement, as well as an email containing the internal conversation between the company’s employees was posted on Facebook and a website.

Takeaways

  • Company is responsible how its employees process personal data.
  • Sufficient security measures must be put in place to safeguard data from misuse and illegal disclosure.

Decision: https://www.dataprotection.ro/?page=Comunicat_17_12_2020&lang=ro

10) Spain: AEPD fines Vodafone €90,000 for GDPR accuracy and security violations

Fine: €90,000

Due to an error in system, clients of Vodafone España were shown data of other customers. The Spanish data protection authority (AEDP) fined Vodafone España for violations of the data accuracy principle, and the integrity and confidentiality of personal data.

Takeaways

  • Data security and proper access management is important part of any IT system, as failure may lead to data breach.

AEPD decision: https://www.dataguidance.com/sites/default/files/ps-00415-2020.pdf

Conclusions

What we can se is that million euro fines for GDPR breaches are becoming a norm. At the same time it is still not clear how those fines are calculated as they seem to be scattered “all over the spectrum” even when it comes to large companies. Nevertheless, fines are for breaches of basic principles.

Lawfulness.

Processing of personal data has to be necessary and proportional. Just because you can collect data does not mean you should. Further, if you relay on consent as legal basis for processing of data, ensure it is lawful and fits all GDPR requirements. Otherwise look for different legal basis. Still, also legitimate interests as legal basis needs careful justification.

Transparency.

Be open about how you process data. Make this information easy to obtain and understand. This task, however, may not be so easy to achieve – especially if processing is very complex.

Security.

Companies gave to implement appropriate organisational and technical security measures. While it is open for discussion what that means exactly, there are some basic requirements:

  • Take data security seriously. If something can go wrong, chances are – it will. If somebody points at weaknesses – better check it twice.
  • Access management – ensure data is accessed only by authorised personnel and only on a “need-to” basis.
  • Implement tools and processes that allow detection of data breaches. Your data processors and employees is your problem. Ensure your agreements have proper clauses and instructions are followed.
  • Regularly test and review your security measures – it is recurring not “done and forget” process.
  • Document all your activities – what you have implemented and how you tested it.

1 Cybersecurity Tips for Device Protection

An antivirus is a tool that performs frequent checks on your device to rid your system of viruses, malware, and spyware. It is considered a tool that every cyber security-aware user should possess. However, considering the ever-evolving digital threats we face everyday, this cannot be the sole security software you have on your devices.



Continue reading »

1 How Cyber Security Experts Are Staying One Step Ahead

Cybersecurity threads are moving and evolving at a rapid pace and they are a lot more sophisticated than they were a couple of years ago. Cybercriminals even use techniques developed by government intelligence agencies. Everyone who lands on a malicious website can get infected.

“The explosion in mobile device use and mobile networking has exponentially increased the number of security threats [that] individuals face on a daily basis,” said Joe Ferrara, president and CEO of Wombat Security Technologies, a security-training firm based in Pittsburgh.

Your smartphone’s sensitive personal information can be broadcast over public airwaves.

Technology experts recommend to keep learning and explore new approaches to protect your network and to to stay ahead of the game.

In this article, I?ll talk about what cyber security experts are doing to stay one stead ahead.

Continue reading »

Commission launches consultation on ENISA

European Commission has launched public consultation on the evaluation and review of the European Union Agency for Network and Information Security (ENISA, whose current mandate will come to an end in 2020).?ENISA is the Agency of the European Union tasked with contributing to the enhancement of the overall level of cybersecurity of the EU and its Member States.

The European Commission?wants all interested stakeholders to share their views on ENISA’s past performances, as well as on a possible revision of its mandate in view of new challenges the EU faces in the cybersecurity field.

The consultation is open until 12 April 2017.

More information

Irish Data Protection Commissioner to examine Yahoo

Ireland’s Data Protection Commissioner is?stepping up its examination of the Yahoo Inc. data breach and is awaiting information from Yahoo regarding?allegations on?scanning of users’ emails for?US government.

In September Yahoo confessed that in 2014 hackers had stolen the data of?500 million users.?But just month later Yahoo was accused in using?software checking?millions of emails for specific information related to national security.

Read more: Irish data regulator steps up Yahoo hack probe, waits on email scanning

UK government breached personal data security 9,000 times in a year, watchdog reveals

UK’s National Audit Office (NAO) has found that government has breached personal data security nearly 9,000 times in a year. Most of breaches – about 6,000 – are on HMRC.

NAO found that 17 largest departments recorded 8,995 data breaches in years 2014-2015, but reported to the Information Commissioner (ICO) only 14 incidents. Although not all incidents shall be reported to ICO, NAO observed that lack of detail in the self-reporting data means it is not possible to determine how significant any of unreported breaches was.

Full story

The Shadow Brokers publish NSA spy tools

A hackers group that calls itself the Shadow Brokers recently published on web and made accessible to everyone sophisticated hacking and surveillance tools. They claim that those tools come come from breach of NSA.

Released hacking tools exploit vulnerabilities in software that the vendor doesn?t know about (so called “zero day vulnerabilities”) and thus haven’t fixed – making everyone using this software a potential target. Published tools revel that United States government has been hacking for decades without big attention.

Full story

>