Security: lessons from GDPR fines

by GDPR Associates | 28th June 2019 6:05 pm

Security: lessons from GDPR fines

Post-GDPR, cyber and data security[1] remain a major practical concern (alongside data subject rights, among other issues), and security compliance failures remain the number one way to a regulatory fine (alongside marketing rules violations, among other compliance failures). About 31% of national/local enforcement actions initiated were based on controller data breach notification, according to a 26 Feb 2019 report[2] by the European Data Protection Board (EDPB). This blog summarises key practical lessons from selected regulatory fines imposed to date under the GDPR for security issues.

We have a wealth of regulatory enforcement action decisions pre-GDPR, but enforcement post-GDPR remains relatively scarce and we have not yet seen any mega fines apart from the CNIL’s €50m fine[3] against Google in France (not security-related). Nevertheless, several EU regulators have already taken enforcement action under the GDPR for security failures.

Most such enforcement cites not only Art.32 (security measures: both controllers and processors), but also Art.5(1)(f) (integrity and confidentiality: core principle for controllers, subject to a higher-tier 4%/€20m fine), or both. As is well known[4], not notifying personal data breaches (PDBs) when required can be fined as a separate breach, and we now cases of enforcement action for notification failures, as well as a processor being fined for security failures.

Fines relating to security obligations under GDPR

This blog draws on the following fining decisions, some of which also included SA orders to rectify the issues concerned:

Main points

Lessons

Many of the learnings are not new points and probably involve common sense measures, particularly to those working in security, but these fines underline their importance. Fines are often imposed, not for breaches, but for security failings discovered by the regulator upon investigating breaches.

The key general lessons, from our experience of assisting clients with security incidents as well as the above, are: prepare, prepare, prepare – and test, test, test!

This article was originally posted here: https://privacylawblog.fieldfisher.com/2019/security-lessons-from-gdpr-fines[28]

Endnotes:
  1. data security: https://www.fieldfisher.com/expertise/cyber-security
  2. report: https://edpb.europa.eu/our-work-tools/our-documents/other/edpb-libe-report-implementation-gdpr_en
  3. €50m fine: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc
  4. well known: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052
  5. fined: https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000038552658
  6. was: https://edpb.europa.eu/news/national-news/2018/baden-wuerttemberg-supervisory-authority-issues-first-german-gdpr-fine_en
  7. fined: https://www.baden-wuerttemberg.datenschutz.de/lfdi-baden-wuerttemberg-verhaengt-sein-erstes-bussgeld-in-deutschland-nach-der-ds-gvo/
  8. fined: https://www.naih.hu/files/NAIH-2019-2668-hatarozat.pdf
  9. ordered: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9069072
  10. a: https://edpb.europa.eu/news/national-news/2019/italian-garante-e-invoices-no-database-be-set-italys-revenue-agency-no-e_en
  11. was: https://edpb.europa.eu/news/national-news/2019/first-significant-fine-was-imposed-breaches-general-data-protection_en
  12. fined: https://www.ada.lt/go.php/lit/Imones-atsakomybes-neisvengs--lietuvoje-skirta-zenkli-bauda-uz-bendrojo-duomenu-apsaugos-reglamento-pazeidimus-/1
  13. reportedly: https://globaldatareview.com/article/1193053/lithuanian-watchdog-issues-first-gdpr-fine
  14. was: https://edpb.europa.eu/news/national-news/2019/idpc-lands-authority-personal-data-breach_en
  15. fined: https://idpc.org.mt/en/Press/Pages/Lands-Authority-Personal-Data-Breach.aspx
  16. including: https://timesofmalta.com/articles/view/massive-lands-authority-security-flaw-dumps-personal-data-online.694982
  17. fined: https://www.datatilsynet.no/en/about-privacy/reports-on-specific-subjects/administrative-fine-of-170.000--imposed-on-bergen-municipality/
  18. fined: https://uodo.gov.pl/decyzje/ZSPR.440.43.2019
  19. fined: https://iapp.org/news/a/first-gdpr-fine-in-portugal-issued-against-hospital-for-three-violations/
  20. Reportedly: https://timesofmalta.com/articles/view/nobody-held-responsible-for-lands-authority-data-breach.702559
  21. fined: https://www.straitstimes.com/singapore/singapores-privacy-watchdog-fines-ihis-750000-singhealth-250000-for-data-breach
  22. also: https://www.straitstimes.com/singapore/ihis-sacks-2-employees-slaps-financial-penalty-on-ceo-over-lapses-in-singhealth-cyber
  23. 5Ps: https://www.linkedin.com/pulse/ncscs-5-cyber-ps-boardroom-dr-w-kuan-hon/
  24. Equifax: https://ico.org.uk/media/action-weve-taken/mpns/2259808/equifax-ltd-mpn-20180919.pdf
  25. argued: https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html
  26. still don’t: https://newsroom.ibm.com/2019-04-11-IBM-Study-More-Than-Half-of-Organizations-with-Cybersecurity-Incident-Response-Plans-Fail-to-Test-Them
  27. fined: https://www.fca.org.uk/news/press-releases/fca-fines-tesco-bank-failures-2016-cyber-attack
  28. https://privacylawblog.fieldfisher.com/2019/security-lessons-from-gdpr-fines: https://privacylawblog.fieldfisher.com/2019/security-lessons-from-gdpr-fines

Source URL: https://www.gdpr.associates/security-lessons-from-gdpr-fines/