Technical IT deficiencies prior to ransomware attack result in GDPR fines Ransomware

The Irish data protection supervisory authority was not previously known for its overly strict application of the GDPR requirements. In many cases, it has been surprisingly lenient, especially towards large tech companies based in Ireland. This makes the authority's latest decision, which involves a fine of half a million euros and could have an impact on IT security and the technical data protection requirements of companies, all the more surprising. The authority states that even supposedly minor failures in IT security can result in large fines, even without any additional circumstances.

What happened?

The decision is based on a case from 2019. A ransomware attack had occurred at the company Centric Health. The perpetrators had gained access to the healthcare company's computer systems via a security vulnerability.

Personal patient data was initially encrypted and later deleted by the hackers. The company concerned did not pay the ransom demanded. The data records included names, dates of birth, social security numbers and patient contact information. However, original health data was probably not affected. At the same time, the malware had also captured and encrypted the company's existing backups and snapshots. Some of the affected data was therefore completely lost and could not be restored even after the attack.

It was also remarkable that there was no exfiltration of the data at all, which is otherwise typical of ransomware attacks. This means that the hackers did not steal the data from the company's computer system during the course of the attack or even "leak" it in full if the ransom demanded was not paid, as is now frequently threatened.

The decision of the supervisory authority

The company concerned behaved in an exemplary manner in dealing with the attack: it discovered the attack at an early stage and initiated measures to limit it. It also informed the data protection supervisory authority and the affected patients (unfortunately with somewhat unclear wording that was later explicitly objected to by the authority) and called in a specialist IT forensics company to investigate the damage that had occurred.

Despite recognizing the exemplary handling of the ransomware attack, the authority imposed a fine of 460,000.00 euros on the company in the subsequent regulatory proceedings. The authority found that the company had breached its duty to ensure an appropriate level of technical protection for personal data in particular through its conduct prior to the attack. For example, security patches had not been installed despite being available for long periods of up to one year. In some cases, there were also no longer any licenses for individual software to obtain newer security updates. All of this already constituted a breach of the GDPR, even if it was unclear in detail whether the patches could have prevented the success of the attack at all. Furthermore, it was irrelevant whether a data leak had occurred, as unauthorized access to the data - at least by the hackers themselves - had undoubtedly taken place. This makes it clear that even in the case of a ransomware attack, the inaccessibility of the data by those responsible constitutes a breach of data protection. Although this already follows indirectly from Art. 4 No. 12 GDPR, it is nevertheless remarkable how clearly the supervisory authority refers to this.

Effects of the official decision

First of all, it should be noted that the decisions of foreign supervisory authorities have no direct impact on the German supervisory authorities - for example, by way of an (indirect) binding effect. The authorities' decision was also not reviewed by the courts, meaning that it is unclear whether or to what extent it would stand up to scrutiny.

However, it is possible to deduce from the decision what requirements supervisory authorities could place on technical data protection in the future, i.e. the "practical-technical" and not purely organizational part of the GDPR requirements. In times of increasing ransomware attacks, these are important pointers. It is remarkable how much emphasis was placed on the rapid installation of security patches. For the system administrator, this means a conflict of objectives between a rollout with a sense of proportion to maintain overall system stability and the desire to roll out patches and new versions as quickly as possible to minimize (legal and technical) risks. It should also be borne in mind that the requirement to always use the latest software can also represent a not insignificant cost factor if, for example, free security patches are no longer made available after the end of the support period and chargeable updates are required instead, even though a new range of functions is not required at all. With regard to these requirements for IT security, the decision often provides very specific guidelines and is therefore worth reading for IT officers at companies (the full text of the decision is available at the following link ).

Conclusion

The decision shows how important it is to be prepared for data protection-relevant incidents in the area of IT security through defined internal company procedures. It does not take much imagination to realize that the fine would have been much higher if the company had not been able to fall back on pre-prepared instructions that allowed it to deal with the incident in an exemplary manner. It should also be noted that data protection and IT security must now be considered all the more in context. This is because breaches of IT security principles can result in fines under the GDPR even if the data protection "worst case" in the form of a comprehensive leak does not occur at all.

We regularly advise on IT security and data protection issues and are happy to support you in minimizing risks in advance and if an incident has already occurred.

Date: 14. Mar 2023