At the occasion of this special day, the members of the Loyens & Loeff Privacy & Data Protection Team would like to highlight the importance of data security and encourage data controllers, data processors and data subjects alike to give some special attention to their personal data / the personal data they collect and process.
While the collection and use of personal data is in fact key to their business, companies often neglect the importance of personal data and adequate data security measures.The phrase “You don’t know what you’ve got ‘til it’s gone” therefore not only apply to loved ones, but also to personal data, and in particular to the loss hereof.
This Valentine’s Day, we encourage you to ask yourself the following questions: Does your company treat its business-critical data in an ‘affectionate’ manner? Are your databases adequately protected against accidental or unauthorised destruction, accidental loss, alteration or any other unauthorised processing of personal data? Do you make regular back-ups and frequently check whether data integrity has been maintained? Do you have procedures in please to (proactively and reactively) deal with data breaches?
At the occasion of this Valentine’s Day, Mr Montague, who truly loves his wife and wanted to show his everlasting love for her, ordered an enormous bouquet of red roses on the website of Flowers4U. While placing the online order, Mr Montague filled in his name, his telephone number, the name of his wife and the delivery address. Unfortunately, Flowers4U suffered a malicious hacking attack in the early morning of 14 February, and all information relating to the online orders was first mixed up and then made available online. The names of the persons who ordered flowers, the names of the persons to whom the flowers should have been delivered, and all delivery addresses had been disorganised and were available online in this altered order. This was of course a very unfortunate incident, especially as Flowers4U was unable to recover the correct information from its database in a timely manner. For Mrs Montague, however, ‘unfortunate’ is an understatement. Reading about the data breach incident in a newspaper article that only mentioned the unauthorised disclosure but not the alteration of the data, she truly believed that her husband had ordered flowers for another woman, Ms Capulet. Mr Montague tried to explain that there had been a mix-up, but to no avail. Confronted with a severe marital crisis, Mr Montague filed a claim for damages against Flowers4U.
Q: Which measures should Flowers4U have put in place in order to ensure the security of the data shared by its customers?
A: Belgian / EU data protection legislation requires all data controllers and data processors to protect personal data against accidental or unauthorised destruction, accidental loss, as well as against alteration of, access to and any other unauthorised processing of personal data.
The measures taken should include “appropriate” technical and organisational measures, taking into account the state of the art in this field and the cost of implementing the measures on the one hand, and the nature of the data to be protected and the potential risks on the other hand. Under the GDPR, entering into force in May 2018, the scope, context and purposes of the data processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, should also be taken into account.
In short, the “appropriate” data security measures to be taken will thus have to be assessed on a case-by-case basis and will vary according to each specific situation. Such measures typically include performance of a risk analysis, daily security management, continuous monitoring and updating of system security, drafting and implementing an information security policy (including preventive and reactive policies and procedures), internal awareness raising, logical and physical access protection, etc.
Q: Can Mr Montague hold Flowers4U liable for the data breach?
A: Yes, if it turns out that Flowers4U had not taken any “appropriate” security measures to protect its database against the hacking incident. Conversely, if Flowers4U is able to prove that it had taken “appropriate” security measures (taking into account that it was not processing any ‘sensitive’ personal data, that it only had limited financial resources, and that the hackers used very advanced techniques), it will not be liable under the Belgian Data Protection Act for the data breach as such.
Q: Should Flowers4U notify this data breach to the Belgian Privacy Commission?
A: Under Belgian law, there currently is no general obligation to notify the Privacy Commission of data breach incidents, although notification is recommended in all cases that involve a ‘risk’ for data subjects (NL / FR), and can be done by completing and submitting an online form. In fact, the Privacy Commission sees data breach notifications as an inherent part of the general security obligation of all data controllers / processors. That being said, there is no specific sanction or penalty (yet) for failure to notify a data breach, so – in practice – not many breaches are actually notified to the Privacy Commission.
Additionally, what is very important to note and remember, is that as from May 2018 (with the entry into effect of the GDPR), notification of data breaches will be required:
- To the Privacy Commission, unless they are “unlikely” to result in a “risk” for the individuals concerned; and/or
- To the individuals concerned, when they are “likely” to result in a “high risk” to their rights and freedoms.
Only very limited exceptions to this rule will apply.
* * *
Moral of the story:
Whether you are a “data controller” or a “data processor” collecting, processing and storing personal data, or an individual providing personal data to your employer or to a service provider, this Valentine’s Day, give some special attention to the security, confidentiality, integrity and protection of that personal data.