The close relationship between data protection and cyber security results from Art. 5 of the European Union’s (EU) General Data Protection Regulation (“GDPR”) which outlines one of the most important principles relating to processing of personal data: “integrity and confidentiality”.
More specifically, Art. 5(1f) of the GDPR stipulates that, “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
In 2020, an overall increase in fraudulent activities was documented in the ACFE’s “Fraud in the Wake of Covid-19: Benchmarking Report”.
In case of an attack, the final security hold-out, security through obscurity, is now broken down. With all data mapped and accounted for, the GDPR changes security from a consideration to a necessity.
One of the most frequent cyberattacks that we see in practice is phishing or email fraud, in which attackers gain access to an organization’s network using a direct hit on the email accounts of a business and its clients. Phishing just edges out scanning for and exploiting vulnerabilities and unauthorized use of credentials.
With the stolen data, attackers can pretend to be the company in question, having all the necessary information, and they can even fraudulently issue invoices, ostensibly from this company, to its business partners.
Legal obligation of an organization to report a breach
Organizations must report a personal data breach as a result of a cyberattack without undue delay and, where feasible, not later than 72 hours after having become aware of it, to the competent supervisory authority unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects. In some cases, organizations must also notify individuals whose data was exposed without undue delay.
The company must conduct the impact assessment of the data breach and draw up the risk analysis in order to determine if it is necessary to notify the supervisory authority.
Even if the data breach is not reported, our recommendation for companies is to keep a register in which breaches are documented and evidence is collected. In the event of a check by the supervisory authority, justification can be given as to why the company did not consider it necessary to notify the authority.
When in doubt, the company in question must presume that personal data was also stolen, considering that this possibility cannot be excluded. In most cases, IT investigations cannot confirm with certainty whether personal data have been stolen, but they likewise cannot exclude this possibility.
Companies must document any personal data breaches, including the facts relating to the personal data breach, its effects and the remedial action taken. The contact details of the data protection officer or main contact person dealing with the breach must also be provided. Failure to issue a breach notification can result in a fine of up to EUR 10 million or 2% of a company’s revenues.
Preventing a breach of a company’s network and its systems requires protection against a variety of cyberattacks. The first line of defence for any organization is to assess and implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, such as data encryption, endpoint protection, daily backups, anti-malware solutions and efficient firewalls.
Other effective ways to protect against cyberattacks and all types of data breaches include (i) providing employees with cyber awareness training; (ii) maintaining complete records; (iii) conducting risk assessments (Data Protection Impact Assessment); and (iv) developing a cybersecurity policy.
By Oana Piticas, Senior Associate, Raluca Botea, Senior Associate, and Flavia Denisa Margas, Associate, Noerr