Cyber Security & Litigation: practical tips on how to avoid a data breach and how to handle it - Part 1: Prevention is better than cure

Introduction

By radically changing our working habits, the new coronavirus heightened existing protection needs to a whole new level of urgency.

In the age of social distancing, many companies suddenly reorganized their resources to allow their employees to work remotely. From one day to the next, thousands of employees worldwide switched to working from home and thus began to access and transmit sensitive information about their companies, as well as clients’ personal information and confidential data, through their home networks.

The exchange of this information on vulnerable networks increases the risk of data breaches due to hacker attacks.

This vulnerability involves private and public entities of different sizes. For instance, just one month ago the low-cost airline easyJet disclosed that it was victim of a hacker attack involving the email addresses and travel data of nine million customers, as well as credit card data of 2,298 of them.

Similarly, several public bodies, such as the Italian National Social Security Institute (INPS) and Italian hospitals, suffered hacker attacks that have put the health data of dozens and dozens of citizens at risk.

Several institutions warned of the risk of hacker attacks related to remote working. For example, in a communiqué released on March 27, EUROPOL stated, “The number of cyberattacks against organizations and individuals is significant and is expected to increase. Criminals have used the COVID-19 crisis to carry out social engineering attacks themed around the pandemic to distribute various malware packages. Cybercriminals are also likely to seek to exploit an increasing number of attack vectors as a greater number of employers institute telework and allow connections to their organizations’ systems.[1]

Against this backdrop, the adoption of measures to reduce the risk of hacker attacks and the awareness of the consequent threats and of tools to protect the company become crucial to prevent and, when unavoidable, to handle such sensitive situations.

But where to start? What are the legal and technical prevention measures to be taken? What to do if these measures fail? Starting this week, we will try to answer these and other questions by providing some practical tips. Let’s start with the first one.

Tip 1: Have an action plan

Over recent months there has been a significant increase in the number of employees working from home, due to the lockdown of economic activity in almost every country. Those who can work from home have been doing it while trying to reconcile work/life balance in very difficult times affecting the whole world. There is currently an ongoing debate about whether this will continue to be a trend in the coming months and whether more and more companies will allow employees to work from home even once the pandemic is over.

This trend is further highlighting the importance of ensuring the highest level of security in the implementation and maintenance of technology tools used by organizations to make working remotely possible, especially in relation to the protection of personal data and, more in general, data assets of organizations. The issue was addressed by the European Union Agency for Cyber Security (ENISA) in its “Tips for Cybersecurity When Working from Home,” dated March 24, 2020.

The importance of cybersecurity for organizations is confirmed by the increase in data breach notifications received by the Italian Data Protection Authority (the “Garante”). According to the Garante’s 2018 Annual Report, it received 650 data breach notifications in 2018 (630 of those in the second half of 2018, after the General Data Protection Regulation was fully applied in EU and Italy). This number increased to 1,443 in the Garante’s 2019 Annual Report, which was just published.

The most common violations reported to the Garante are as follows:

–             Hacking attacks aimed at gathering credentials, payment systems, contact details;

–             Unauthorized access to email boxes;

–             Loss or unavailability of personal data due to malware (ransomware, in the majority of cases);

–             Loss of devices or paper documents containing personal data;

–             Accidental communication or disclosure of personal data.

That’s not all. The latest enforcement actions taken by the Garante show that the authority is increasingly focusing on the internal procedures implemented by organizations to avoid data breaches.

In January 2020, the Garante sanctioned TIM (a leading telecommunications operator in Italy) in the amount of Euro 27 million for several violations of the GDPR. Among other items, the Garante challenged TIM’s late reporting of data breaches to the authority and also its incorrect management of data breaches, consisting of unrequested assignment of a phone line to an individual or incorrect association of a line with the contact details of a data subject. In the specific cases in question, the Garante ascertained that TIM erroneously sent invoices to data subjects who were not the owners of the related phone lines.

During the same period, the Garante charged an Italian hospital with lacking procedures designed to keep hospital employees from having unauthorized access to patient health documentation. It is interesting to note that the defense of the hospital focused on the fact that certain employees engaged in unauthorized access not for the purpose of causing harm to the data subjects or putting them at risk, but just for the sake of “curiosity.” This argument has been turned against the hospital as, according to the Garante, procedures should have been implemented to avoid allowing employees access to the personal files of patients just to satisfy their curiosity.

Finally, one of the most important data breaches recently occurred at the National Social Security Institute (INPS). Specifically, in accordance with legal provisions adopted during the Covid-19 pandemic, INPS was required to manage requests from private employees for the social subsidy implemented by the national government as support during the lockdown in the online sphere. Once the platform was launched, a serious data breach occurred and a significant number of people were able to access the online profiles of other people, and INPS was forced to shut the website down for the time needed to fix these technical issues. INPS promptly reported the breach to the Garante, arguing that the “casual” occurrence of the breach and the fact that it was limited to a short period of time did not imply high risk for the data subjects involved, and as such, justifying its decision not to inform data subjects of the breach. The Garante did not share this position and issued a prescriptive provision ordering INPS to notify data subjects about the breach: according to the Garante, the breach did indeed raise high risks for data subjects (such as — among other things — discomfort, loss of control over their personal information, intrusiveness, limitation of their rights, risk of phishing, and more).

Based on the above decisions, it seems clear that data privacy management is a crucial part of corporate governance and that relevant noncompliance can lead to high sanctions for organizations.

Indeed, application of the GDPR obligates organizations to implement procedure(s) governing personal data management in practice (and not only on paper). The main purposes of the enforcement actions taken by the Garante are to ensure the lawful processing of personal data, ensure the effective exercise of the relevant data subjects’ rights, and mitigate (or avoid) potential data breaches.

In this regard, data controllers and processors should implement a security incident management policy for managing security incidents, including data breaches. In a nutshell, a security incident management policy and personal data breach management procedures must provide (i) creation of a security incident response team, with members who have clearly defined responsibilities, to ensure timely action in the event of a security incident or personal data breach; (ii) implementation of organizational, physical, and technical security measures and personal data privacy policies intended to prevent or minimize the occurrence of a personal data breach and ensure timely discovery of any security incident; (iii) implementation of an incident response procedure intended to contain a security incident or personal data breach and restore the integrity of the information and communications system involved; (iv) mitigation of possible harm and negative consequences to a data subject in the event of a personal data breach; and (v) compliance with GDPR provisions and Garante guidelines, in particular as related to personal data breach notification.

In addition, a thorough evaluation must be conducted of risks connected to processing personal data, and not merely in relation to risky personal data processing (for which a specific data protection impact assessment is required, pursuant to the GDPR).

In light of this, organizations should implement their privacy management structures in an effective, efficient, and sustainable way. To do so, the structure model should integrate various information security governance frameworks with dedicated data privacy management systems in order to comply with GDPR provisions as well as Garante (or other relevant Data Protection Authority) guidelines. In this way, data privacy becomes part of all strategic, tactical, and operational business processes, thus fostering appropriate corporate governance, legal compliance, and effective data protection.

[1] https://www.europol.europa.eu/newsroom/news/how-criminals-profit-covid-19-pandemic

Back
Follow us on