On Sept. 10, Poland’s data protection authority, the Personal Data Protection Office, issued its highest fine of 660,000 euros to retail company Morele.net for infringing on the principle of integrity and confidentiality, Article 5(1)(f), and the rules on security of processing, Article 32(1)(b)(d) and (2), of the EU General Data Protection Regulation.
Key takeaways from this decision relate to the UODO’s interpretation of â€œthe state of the art,â€� which, under the GDPR, needs to be considered when implementing technical and organizational measures appropriate to the risk of processing.
In 2018, Morele suffered a data breach that affected approximately 2.2 million clients. Data accessed included client names, phone numbers, email and delivery addresses. A subset of 35,000 users also had loan applications exposed. Morele only learned of the breach after some of its clients reported phishing SMSes that were allegedly sent by Morele.net and contained a link to a fake payment gateway. Hackers blackmailed the company for ransom and, when Morele refused, the stolen personal data was sold online. In response to the breach, the company eliminated technical vulnerabilities, helped the affected data subjects and cooperated fully with the UODO and the police.
The UODO acknowledged satisfactory post-breach cooperation but found the infringement of the GDPRâ€™s principle of integrity and confidentiality and the rules on security of processing contributed to the data breach, all of which posed a high risk to the rights and freedoms of Moreleâ€™s clients.
How to interpret ‘the state of the art’
The UODO recognized the GDPR does not require technical and organizational measures to eliminate processing risks (which would be impossible), but it does require those measures to be appropriate to the risks, taking into account the â€œstate of the artâ€� and the cost of implementation.
The GDPR demands security of personal data processing is brought up to the â€œstate of the artâ€� level but does not specify in any detail what that requires. In this decision, the UODO provides some assistance in determining the meaning of the â€œstate of the artâ€� within the GDPR. It states that, in constantly changing market conditions, controllers and processors should treat the ISO standards as a reliable benchmark for IT security (including those ISO standards that have not been published in Polish). Further elements of the framework, which should be consulted when determining the current â€œstate of the art,â€� include recommendations and guidelines from organizations specializing in information security, with the European Union Agency for Cybersecurity, National Institute of Standards and Technology, and Open Web Application Security Project referred to as examples.
Authentication and access control
The UODO stressed that an appropriate authentication and access control are essential security measures, as indicated in the standard PN-EN ISO/IEC 27001:2017- 06. In determining the â€œstate of the artâ€� in that respect, the UODO referred to ENISA’s â€œGuidelines for SMEs on the security of personal data processing and the OWASP’s Top 10 Application Security Risks â€“ 2017,â€� which strongly recommend a two-factor authentication for accessing systems that process personal data.
In Morele’s case, two-factor authentication was introduced only as part of the breach response. The UODO saw it as a failure to provide appropriate technical safeguards in Morele’s IT systems that contributed to the successful hacking attack.
The UODO reinforced the point that, to satisfy the requirements of Article 32 of the GDPR, the access control mechanism should always be chosen following a thorough risk assessment, and its ongoing appropriateness should be regularly tested and evaluated (as also recommended in ISO/IEC 29115:2017/07, NIST 800-63B: â€œDigital Identity Guidelines: Authentication and Lifecycle Management and OWASP Top 10 Application Security Risks â€“ 2017â€�).
In the UODO’s opinion, Morele fulfilled that requirement only partially: It monitored the measures implemented to protect known vulnerabilities but failed to assess whether, overall, the implemented technical measures were appropriate to the risks posed by the processing. The UODO noted that the company was processing personal data on a large scale that involved a high level of risk to the rights and freedoms of data subjects and meant that the level of monitoring had to be increased to the level appropriate to such risks. The UODO found that, despite carrying out some forms of security monitoring, the company failed to react in a timely manner to unusual patterns in the network traffic: it remained unaware of an increased network activity for a period of four months. The UODO saw it as falling short of the security level appropriate to the risk, considering the â€œstate of the artâ€� security standards recommended â€” e.g., in ENISA’s guidelines on monitoring traffic to and from the IT system. The UODO concluded that, had the monitoring of Morele’s IT systems been appropriate to the risks, it should have detected the vulnerabilities of its one-factor access control, as well as the unusual network traffic.
The determination of the â€œstate of the artâ€� in security of personal data processing is an ongoing technical, organizational and legal task for businesses subject to the GDPR. This decision may provide some support in identifying the required level of IT security. The references to security frameworks and guidelines indicate a general approach to a risk-based interpretation of the â€œappropriate technical and organisational measures,â€� and we may well see further references to information security guidelines made by DPAs in other jurisdictions. NIST Cybersecurity Framework and NIST Privacy Framework (once completed), as well as country specific documents, provide some possible examples of useful points of reference for organizations considering how to comply with the GDPR’s rules on confidentiality, integrity and security of personal data processing.