Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Law

12/3/2018
09:35 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

GDPR Fines: Some Bark, Little Bite

As Security Now says 'Happy Halfiversary' to GDPR, we take a look at what few GDPR fines and other DPA orders and guidance have been made public over the past six months.

Sunday, November 25, marked the "halfiversary" of the European Union's General Data Protection Regulation. In that time, organizations and governments alike have struggled with making sure they are up to par for GDPR compliance -- to much hoopla.

Indeed, after GDPR came into effect on May 25, there was no real slowdown in the fusillade of articles and blog posts warning, shouting, and kvetching about GDPR risks. More recent headlines from over the past month speculate that billion-dollar GDPR fines are just around the bend for major companies like Facebook and British Airways after their recent respective data breaches. (See Facebook's Data Breach: Will It Be First Test of GDPR? and British Airways Already Facing Lawsuits Following Data Breach.)

For the most part, however, what I predicted last year here on this point has thus far rung true -- that GDPR appears to have been more puff than plague in 2018. Data Protection Authorities (DPAs) are hardly zapping every company left and right with their maximum fining powers. (See My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype.)

DPAs clarify PHI stances
Still, DPAs are indicating that certain kinds of data are subject to greater scrutiny -- and greater punishment -- when it comes to how that information is guarded.

In July, the Netherlands' DPA held that a public insurance body violated GDPR security standards by using only single-factor authentication on its employer portal instead of multi-factor authentication. The DPA specifically stated that multi-factor authentication was required because the employer portal allows access to employees' Protected Health Information (PHI).

Moreover, EU regulators are not screwing around when it comes to defining what constitutes PHI under GDPR.

In setting this specific standard for PHI, the DPA set another one as well. Reportedly, the public insurance body's portal contains minimal information about employee health -- only the dates of sick days, parental leave, and information related to when an employee is pregnant or gives birth; other than pregnancy, no information about employees' actual medical conditions is listed. Nonetheless, the DPA ruled that by merely existing on the portal to begin with, all of that information qualifies as PHI because it indicates that someone had or has a medical condition. Res ipsa loquitur.

The DPA ordered the public insurance body to conduct a new data-privacy impact assessment (DPIA) by October 31, 2018, and to implement appropriate security measures in line with its ruling by October 31, 2019. While no immediate fines were assessed, the DPA ordered that fines of €150,000 ($170,000) would be assessed against the public insurance body for every month of delay in complying with its order -- up to a maximum of six months' worth of fines.

Also in July, Portugal's DPA privately issued a GDPR fine of €400,000 ($450,000) against a hospital for allegedly allowing hospital-system users "unrestricted" access to PHI via temporary accounts. The hospital has announced its intent to appeal.

This not-yet-finalized six-figure fine, however, may so far be the exception as opposed to the rule.

Austria fines first
Only a couple of publicly levied fines for GDPR violations have come down from DPAs thus far. The first EU member state to publicly issue a fine under GDPR appears to have been Austria. This is no big surprise given the nation's recent history; in addition to being home to privacy activist and serial litigant Max Schrems (whose legal crusade against Facebook led to the fall of the EU-US Safe Harbor Principles), Austria was the only EU member state to vote against GDPR -- for not being strict enough.

In the instant case, Austria fined a small business under GDPR for installing a CCTV camera that recorded part of a public way -- without sufficient indication that there was a camera recording passersby. The fine, however, was modest -- €4,800 ($5,500).

DPAs decline to compete on fines
More recently, Germany's DPA announced that it had issued a GDPR fine against Knuddels -- a German social-networking site -- after the company suffered a data breach in which a minimum of 320,000 user credentials (and possibly as many as 1.8 million) were stolen. The fine amounted to €20,000 ($23,000) -- at first, a seemingly paltry sum considering that Knuddels had stored user credentials in plaintext (a veritable cybersecurity facepalm, with or without Article 32 of GDPR). This appears to have been Knuddels's only GDPR sin, however. The fine was mitigated because, according to Germany's DPA, Knuddels took swift and exemplary action in "immediately and comprehensively" notifying the DPA of the breach in compliance with GDPR, kept users informed in a timely manner, and extensively improved its IT-security posture in collaboration with the DPA.

Stefan Brink, Germany's State Commissioner for Data Protection and Freedom of Information, commented that his organization is not interested in competing over which DPA can issue the highest fines -- and instead is focused on the overarching goal of improving information security and data privacy.

This corresponds with comments last year from his opposite number in the UK, Elizabeth Denham, when she downplayed the hullaballoo over "massive" GDPR fines.

"[GDPR] is not about fines," wrote Denham in a since taken-down blog post (archived here). "It's about putting the consumer and citizen first. We can't lose sight of that."

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.

(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.