When being hacked is doubly expensive: in which cases a cyberattack can end in a fine from the Data Protection Agency
Two weeks ago the Spanish Data Protection Agency (AEPD) fined Air Europa 600,000 euros for a cyberattack he suffered in 2018 in which personal and banking information of his clients was stolen. And it was still cheap, because in 2020 the British authorities sanctioned the Marriot Hotels with 20.5 million euros and British Airways with 22 million euros for the same reasons.
The cases in which a company can be sanctioned by the Organic Law on Data Protection (LOPD) after suffering a cyberattack are not common, but they can occur. The AEPD explains to Xataka that of the total notifications they receive from companies about attacks that have compromised personal data of any kind, only 10% are investigated to initiate a possible sanctioning procedure, and the percentage of them that ends in a fine is even lower.
The cases in which a cyber attack can end in a fine are only two: that the company that has suffered it does not communicate it within the period established by the norm, of 72 hours from when it became known at the most, or that the company has not taken the appropriate measures, according to the criteria of the agency, to prevent the theft of personal data hosted on its servers.
“The agency asks you to tell it what happened and how you are paralyzing the attack, and then extensions of that information are made as more data becomes available ”, explains Johanna Álvarez, legal manager of the cybersecurity company Audea.
The intention of the authorities, therefore, is to be aware of the data that may have been compromised, the scope that the cyberattack may have for those affected and to ensure that the organization has done everything possible to prevent theft or leakage of that personal information. But if it reaches the conclusion that the company has not done what it should in accordance with the provisions of the standard, it will initiate a sanctioning process.
The case of Air Europa
The case of Air Europa is paradigmatic because did not comply with the two assumptions for which it could be sanctioned: she reported the attack 41 days after it occurred, for which she was fined 100,000 euros, and her cybersecurity measures were not adequate to defend her servers, so, according to the criteria of the AEPD, she did not do everything possible to protect the personal data of his clients, which cost him a fine of 500,000 euros.
Procrastination in communicating a cyber attack is the most common reason why the Spanish Data Protection Agency can sanction a company, according to the experts consulted by Engadget. Lack of knowledge about how to proceed in these cases or the absence of a pre-established protocol to address this critical situation should it occur are often behind these delays.
“The company must establish who and what actions will be taken in the event of a security breach. When it happens, the data controller must implement the action plan, specifying the tasks that allow it to resolve the gap and collect all the information about it ”, they explain from the AEPD.
To carry out this communication, the agency has the tool Communicate-Gap GDPR on its website, through which any organization or person responsible for the processing of personal data you can report a security breach in your systems that affects personal data.
For this communication, the person in charge of the company must gather information about how the breach occurred – loss or theft of a device, ransomware attack, pishing, etc. -, if its origin is internal or external, if it was accidental or due to an intentional attack, the volume of data affected , the category of these -basic data such as contact information or special information such as health-related information-, the category of affected people -clients, employees, patients, students … – and the temporal sequence of the gap: when it started, when it was detected and when it was resolved or is planned to be resolved.
However, it is not mandatory to notify the AEPD of all security gaps, only those that constitute a risk to the rights and freedoms of natural persons due to the leakage or theft of their data. The person in charge that the company has established for the organization’s data processing will be the one who should evaluate whether or not to inform the agency in these cases.
The right measures
On the other hand, if an organization has received a cyber attack in which personal data of any kind has been compromised and the Spanish Agency for Data Protection initiates an investigation, those responsible for the entity they must be able to demonstrate that they took the appropriate preventive measures to avoid the gap.
“The agency asks that preventive security measures be implemented, and that you have a way of accrediting them with periodic audit reports, compliance with security measures, annual risk analysis, etc. ”, explains Álvarez.
These documents can be added orafter evidence showing that the level of protection was adequateAs the company has never received an attack of this nature, that it has been a specific attack or that it has compromised many companies in the sector, which would show that it is something for which no one was prepared.
Another way to prove that the company has taken preventive measures is to show that it has given free training in cybersecurity and personal data processing for your employees at least once a year, which can help prevent attacks by cybercriminals in ways such as phishing.
Finally, Áudea’s legal manager highlights that it also it is relevant that employees know what to do in the event of a cyberattack: “It is important to have a very well implemented procedure in the company, that everyone knows what steps to take if something like this happens, because time is short.”
Mapfre was not sanctioned
Mapfre is one of the examples that not all companies that suffer and report a cyber attack are sanctioned. Last August 2020, the insurer was attacked by cybercriminals and the personal data of its clients could be compromised. Nevertheless, the company had prevention measures to minimize the impact of the breach, which caused the AEPD to close the investigation and not sanction it.
“As detailed in the resolution of the procedure, the company acted in accordance with its protocols and business continuity plans established prior to the attack, a reason that pallowed to reduce the consequences and prevent the spread of malware, being able to finally identify it, isolate it and eliminate it. He also communicated the cyberattack to the INCIBE (National Cybersecurity Institute) and to the CCN – CERT (National Cryptological Center) and published information about it on its website ”, Juan Carlos Fernández, a lawyer specialized in privacy and new technologies at the firm, explains to Xataka Tecnogados.
The aforementioned resolution states that “the investigated entity had reasonable security measures based on the possible estimated risks”, that “the impact has been almost nil, since the exfiltration attempts were detected and avoided, which together with the speed to making the cyberattack public allowed the clients to act efficiently ”and that“ it is established that had reasonable technical and organizational measures to avoid this type of incident, which has allowed the rapid identification, analysis and classification of the personal data security breach ”.
For all the aforementioned, the AEPD resolved that Mapfre had been “Diligent and proportional to the regulations” in the protection of the personal data that it handled in its systems.
Image 1 | Christiaan Colen