In a recent decision, NAIH, Hungary’s Authority for Data Protection and Freedom of Information imposed HUF 2,000,000 fine (approx. EUR 6,700) on an IT service provider for failing to implement adequate data security measures. The case is also important for other companies because NAIH provided specific recommendations on how to comply with the general requirements on the security of data processing in practice. Considering the findings of NAIH, companies should revise not only their data security measures (in particular to ensure adequate access levels, data sharing, data minimization and encryption) but the wording of their appropriate internal rules and data processing agreements as well.
NAIH has received a notification, that upon clicking on a public link, one has access to an unprotected, compressed database, which contained approximately 905,362 pieces of healthcare related data. The data included the healthcare service given, its date, the date of birth, nationality, and in addition to other data, the BNO code (the international coding system of diseases) of the main diagnosis, linked to social security numbers. The owner of the database sold software to hospitals, and provided IT maintenance services.
The Hungarian Data Protection Act has implemented the provisions of Section VIII of Directive 95/46/EC (Confidentiality and Security of Processing). Personal data must be protected against unauthorized access, alteration, transfer, disclosure by transfer or deletion as well as damage and accidental destruction. Data must be protected against becoming inaccessible due to ‘changes in the technology applied’. In order to protect data processed in various databases it must be ensured with adequate technical devices that the data stored in databases cannot, unless permitted by law, directly be linked to each other and traced back to the relevant persons. Additional security measures and safeguards are specified for automated personal data processing. However, the Hungarian Data Protection Act does not specify any particular way to perform the above general obligations (e.g. to use a specific technique).
Remarks on data security measures
In its decision, NAIH provided the following remarks on the data security measures applied by the company:
- Access levels. The company only operated a single administrator access level system, which was used by multiple individuals, and numerous employees had total access. Therefore, it was not possible to identify who uploaded the file containing the sensitive data onto the server. NAIH emphasized that access to data within a system, as well as the execution of important tasks within the system (e.g. copying, downloading, deleting) should be connected to appropriate and personalised access levels.
- Specific internal rules and data processing agreements. NAIH also criticised that the company did not have a set of specific internal rules, back-up policies, access level handling and competency matrixes that would have prevented or limited the scope of such a data protection breach. Support services were not sufficiently monitored, and the service contracts did not address the responsibilities regarding data processing tasks.
- Encryption. According to NAIH, the effects of the data breach would have been limited if the data would have encrypted. The compressed file should have been protected with a password of appropriate strength.
- Data minimization. NAIH noted that software services are likely not require the processing of real social security numbers, and such services should not have been carried out using a database file containing live data. The personal data in the database should have been made anonymous in the appropriate way at the beginning, or the data should have been deprived of their personal nature.
- Data sharing techniques. Search engine crawlers should also have been prohibited to prevent them from indexing the contents of the webpage. The best solution, in terms of access levels and tracking, would have been sharing the database on a dedicated ftp server.
When determining the fine, NAIH considered the large number of those affected (90,000 natural persons), and that the breach made sensitive data irreversibly public. The security level of the company’s IT system was not appraisable, with regards to the fact that access to the relevant data was not regulated, the data was stored publicly, and identification was only required to upload FTP, not to download through the http protocol.
Act CXII of 2011 on the Right of Self-Determination in Respect of Information and the Freedom of Information (Hungarian Data Protection Act)
NAIH’s decision in the relevant case: NAIH/2015/2765/H.