While the German government is still wrestling with the draft of the IT Security Act 2.0 and the adaptation of the regulations regarding fines, the data protection authorities of the EU Member States have already set down facts on the basis of the EU General Data Protection Regulation (“GDPR”). Many of the fines imposed since May 2018 were based on insufficient cyber security measures. What has happened?
Pursuant to Article 32 (1) GDPR the controller is obliged to take sufficient technical and organisational measures to ensure that the data processing carried out via the IT systems is secure. The measures required in a specific case are determined, among other things, by the state of the art, the implementation costs, the type, scope, circumstances and purposes of the data processing and the varying likelihood and severity of the risk to the rights and freedoms of the data subjects.
But what can companies learn so far from the various fine proceedings?
The UK’s data protection authority, the ICO, caused a stir in 2018 when it imposed on the billion-dollar company Marriott International Inc. (“Marriott”) a fine in the region of millions of Euros.
The background to this was that Marriott had acquired the Starwood hotel chain in 2016 without reviewing the company’s cyber security measures. Already in 2014, Starwood’s systems were attacked by hackers so that customer information could be extracted. This was not noticed at the time of the acquisition. It was not until 2018 that the data leak was discovered and reported to the ICO. In the meantime, 339 million customer records had already been accessed. After originally setting the fine at GBP 99.2 million (~ EUR 115 million), the ICO reduced it to GBP 18.4 million (~ EUR 20.4 million) due to the good cooperation with Marriott.
The case shows that special attention must be paid to the cyber security structure of the company being acquired. If the company has not taken sufficient technical and organisational measures for data security, this must be determined and remedied immediately. Otherwise, the buyer is threatened by cyber risks, which can lead to considerable consequential damage for the company. Here, one should not only think of the potential threat of fines, but also of claims for damages by those affected as well as damages that can arise from the tapping of information (e.g. business secrets). Hackers could exploit the situation for blackmail attempts.
2. Access to health data
Cases have repeatedly come to light in which no sufficient measures were taken to restrict access to health data. Health data is a special category of personal data (Article 9 (1) GDPR), which is subject to a particularly high level of protection.
Since the GDPR came into force, data protection authorities have repeatedly imposed sanctions. The first fine of this kind was imposed on a public hospital in Portugal, as healthcare staff had unrestricted access to patients’ health data – in some cases even through falsified profiles. The fine amounted to 400,000 Euros. Since then, such cases have repeatedly come to light – for example in the Netherlands or Norway. In Sweden in particular, five different fines were imposed in this regard. The highest of these was against Capio St. Göran Hospital, amounting to SEK 30 million (EUR 2.9 million).
The catalogue of obligations under Article 32 GDPR also includes protecting data from unauthorised internal access. This is especially true when it comes to “sensitive” data such as health data. The danger of data being accessed not only arises externally through hacker attacks, but also represents a real risk within the company itself. This must be counteracted. The protective measures must also be adapted to the potential risk, which is particularly imminent in the case of unauthorised processing of “sensitive” data.
3. 1&1 Telecom GmbH
The case of 1&1 Telecom GmbH (“1&1”) is likely to become particularly notorious. Not only because a fine of EUR 9.55 million was initially imposed by the Federal Commissioner for Data Protection and Freedom of Information (“BfDI”), but also because it is the first case of a GDPR fine being decided by an ordinary court in Germany. The BfDI imposed a fine of EUR 9.55 million on 1&1 in 2019. The background to this was that, in the BfDI’s view, the authentication requirements in the 1&1 call centre were not sufficient. At the time, 1&1 only asked for the name and date of birth for authentication, which meant that the former partner of a customer with knowledge of this data could find the telephone number and the unblocking date at 1&1. The Bonn Regional Court considered the imposition of a fine to be justified, but the amount seemed unreasonable. The fine was reduced to 900,000 EUR.
However, the 1&1 case is not the first to deal with inadequate authentication measures. In the Netherlands, there was a similar case where the Arbeitnehmerversicherungsagentur (UWV) (Employee Insurance Agency) was also fined 900,000 EUR because the authentication process for the online portal was inadequate. This allowed the data of workers to be siphoned off. There was also the SERGIC case in France. Here, sensitive data of potential tenants could be accessed without prior authentication. The French data protection authority CNIL imposed a fine of EUR 400,000.
Companies are therefore called upon not only to choose an authentication procedure that prevents the likelihood of misuse, but also to develop and continuously improve it in line with the state of the art. This also applies to all other technical and organisational measures.
The examples illustrate that an adequate cyber security structure in the company is indispensable, not only for the protection of personal data, but also for the protection of business and trade secrets or for the protection of customers. A lack of cyber security is not only a data protection risk, but also a compliance risk for the entire company, which heightens with increasing digitalisation. Until now, cyber security has only been a rudimentary focus of company management. The example of Marriott in particular shows that cyber security must be taken into account in all business decisions, such as the purchase of a company, and recognised as a potential risk in order to prevent damage to the company.