In this article we would like to take a look at the most interesting cases of breaches that happened in Poland in the past two years. This perspective will, on the one hand, illustrate the Polish Data Protection Authority's (PDPA) approach to data protection breaches and, on the other hand, reflect the latter's sanctioning approach.
GDPR requires controllers to report certain personal data breaches to data protection authority, as well as in some cases to the data subjects (e.g. customers). Of course, failure to notify may lead to significant fine.
CYFROWY POLSAT
It turns out that the issue of losing postal packages is a problem that may have huge consequences not only for consumers, but also for entrepreneurs. The fine at hand concerns an interesting case of controller's liability for data protection violations committed directly by the data processor (entity providing courier services). The PDPA decided to impose a fine of EUR 250,000 on Cyfrowy Polsat (one of the private TV broadcasters) for failing to implement appropriate technical and organisational measures when cooperating with the courier company, which led to numerous breaches of personal data protection.
How did these breaches occur? In the course of the cooperation between the Cyfrowy Polsat and the courier company, the same risky scenario was repeated. Couriers notoriously lost packages sent by the company, often containing detailed personal data. Then, only after long months, the courier company notified Cyfrowy Polsat about the loss, allowing it to notify the data subject (and the PDPA) of the data protection breach. The routine lasted for a considerable time and nothing changed in the cooperation of both companies, despite the repeating mistakes.
The PDPA initiated proceedings and assessed that the controller should have taken effective actions in case of repeated infringements. These actions would have minimised the scale of the breaches and would allow for quicker identification of such incidents (and thus notification of the affected persons and the supervisory authority). According to the PDPA, despite the fact that violations were related to irregularities on the part of the courier company, it was the data controller that incorrectly implemented supervision over the enforcement of contractual provisions. This lack of supervision resulted in late identification of violations. The solutions introduced by the controller, including e.g. solutions allowing to track shipments, which enabled faster identification and reporting of loss of correspondence with personal data, were implemented too late. It follows that it is important to react early and holistically to the processors issues, because in the end, the controller is the one who will usually be fined.
TUiR WARTA
The next case, which ended with a fine of EUR 20,000, is equally interesting, because here too the controller - which is a large insurance company - was held liable in an unusual way. The PDPA was one day informed of a data protection breach. The information came from unauthorised addressee who received the email which contained insurance policy document. It turned out that insurance agent (who was the processor of the sanctioned company) sent the email and the policy (embedded in a file that was not secured in any way) was simply sent to the wrong person. But what was exceptional in this case? Well, the message was sent to the e-mail address that the customer indicated himself! The company reacted and asked the unauthorised recipient to permanently delete the message with a request for confirmation that the message had been deleted.
The PDPA considered that the fact that the breach occurred as a result of the customer error who had provided an incorrect email address, as well as the fact that the unauthorized recipient informed the company about the email (which the company interpreted as awareness of the laws and the importance of the information the person received) - could not affect the classification of the incident as involving a low probability of adverse effects for data subject, as the company assumed.
According to the PDPA, the risk should have been assessed as high (after all, the breach occurred and the addressee was an unknown unauthorised person), and the matter should have been reported to the PDPA and communicated to the data subject. Not only did the PDPA learn about the case from an unauthorised addressee, but the notification of the case to the data subject took place only after the administrative proceedings had been initiated (5 months from the occurrence of the breach).
The controller allowing for the possibility to use e-mail for communication with the customer should be aware of the risks related to e.g. incorrect provision of the e-mail address by the customer. Therefore, in order to minimise these risks, the controller should introduce appropriate organisational and technical measures, e.g. verification of the provided address, or encryption of the sent documents. According to the PDPA, the controller couldn't be sure that an unauthorised addressee had complied with the company's request and that he hadn't, for example, made photocopies of documents or recorded them.
Entrepreneurs, beware of mistakes, not only your own, but also those of your clients.
ID FINANCE POLAND
One day, the company running an online loan platform received a message in which a stranger informed it that the data of its customers was available on one of its servers (the server was hosted by a processor). Strictly and quite dramatically speaking, the data of 140 699 people who had registered to the loan platform, including details such as bank account numbers, account passwords and mobile phone numbers. The company, to put it mildly, did not react too abruptly (which later ended up costing it EUR 250,000 due to the fine). Its reaction was slow, which did not end well. Few days after the company received the notification, an unknown person copied all the data and then deleted it from the server. For the return of the stolen information, the person demanded a ransom. Only then the company initiated a security analysis of its servers and reported the data breach to the PDPA.
As it turned out, the breach (public availability of the stored data) occurred when the proper security configuration was not restored after restarting one of the servers operated by the processor. The person who alerted the controller was a specialist in cybersecurity (whose message, according to the PDPA's assessment conducted during the investigation, was very credible). In PDPA's opinion, the controller did not reliably investigate the notification, nor did it start properly monitoring the processor. The reason was that the company had doubts whether the message from the specialist wasn't a data phishing attempt. Unfortunately, the vulnerabilities identified in the system were not immediately addressed, and a few days later data were stolen from the server.
The PDPA alleged that the breach would not have occurred if the controller had reacted appropriately to information that data on its server were unsecured. The company should maintain the ability to quickly and effectively identify the occurrence of any breach in order to have the ability to take appropriate action. The PDPA also held that a processor's failure to respond quickly enough did not exclude the controller's liability for a data protection breach.
MORELE.NET
The last case concerns one of the biggest Polish e-commerce platforms – Morele.net (and other e-commerce platform which belonged to the group of companies). Databases containing information on more than 2,200,000 individuals were stolen from the company. The breach was therefore massive in its impact (unknown criminals have used the data for numerous attacks). The majority of the data included: name, phone number, e-mail, delivery address, but sometimes the data was much more detailed (e.g. data concerning identity cards). The PDPA found that the company, by failing to use sufficient technical data protection measures, breached, inter alia, the principle of confidentiality. As a result, unauthorised access to and collection of customer data occurred. The unauthorised access event was facilitated inter alia by an ineffective means of authentication and ineffective monitoring of potential risks. Despite the application of the solution which consisted the monitoring of network traffic and the adopted technical security measures, the controller was not able to react to an atypical event in the monitoring system consisting in increased data transmission. In the PDPA's view, the measures adopted by Morele.net could be effective if they were properly adapted and a procedure was in place to respond to adverse events such as abnormal network traffic. The investigation revealed various failings, but as stated by the PDPA, it was the lack of appropriate technical (insufficient safeguards) and organisational measures (concerning the monitoring of potential threats, related to atypical online behaviour) that determined the EUR 660 000 fine, which to date remains the highest that the PDPA has imposed.
SUMMARY
Breaches are happening and will continue to happen. The key from the controllers' perspective is to apply appropriate safeguards and have procedures in place, as well as to react quickly and effectively enough if there is even a suspicion of a breach. Appropriate selection and supervision of processors is also critical. In the absence of these, the relevant supervisory authority may respond with the powerful mean of an administrative fine.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.