Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Law

12/3/2018
09:35 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

GDPR Fines: Some Bark, Little Bite

As Security Now says 'Happy Halfiversary' to GDPR, we take a look at what few GDPR fines and other DPA orders and guidance have been made public over the past six months.

Sunday, November 25, marked the "halfiversary" of the European Union's General Data Protection Regulation. In that time, organizations and governments alike have struggled with making sure they are up to par for GDPR compliance -- to much hoopla.

Indeed, after GDPR came into effect on May 25, there was no real slowdown in the fusillade of articles and blog posts warning, shouting, and kvetching about GDPR risks. More recent headlines from over the past month speculate that billion-dollar GDPR fines are just around the bend for major companies like Facebook and British Airways after their recent respective data breaches. (See Facebook's Data Breach: Will It Be First Test of GDPR? and British Airways Already Facing Lawsuits Following Data Breach.)

For the most part, however, what I predicted last year here on this point has thus far rung true -- that GDPR appears to have been more puff than plague in 2018. Data Protection Authorities (DPAs) are hardly zapping every company left and right with their maximum fining powers. (See My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype.)

DPAs clarify PHI stances
Still, DPAs are indicating that certain kinds of data are subject to greater scrutiny -- and greater punishment -- when it comes to how that information is guarded.

In July, the Netherlands' DPA held that a public insurance body violated GDPR security standards by using only single-factor authentication on its employer portal instead of multi-factor authentication. The DPA specifically stated that multi-factor authentication was required because the employer portal allows access to employees' Protected Health Information (PHI).

Moreover, EU regulators are not screwing around when it comes to defining what constitutes PHI under GDPR.

In setting this specific standard for PHI, the DPA set another one as well. Reportedly, the public insurance body's portal contains minimal information about employee health -- only the dates of sick days, parental leave, and information related to when an employee is pregnant or gives birth; other than pregnancy, no information about employees' actual medical conditions is listed. Nonetheless, the DPA ruled that by merely existing on the portal to begin with, all of that information qualifies as PHI because it indicates that someone had or has a medical condition. Res ipsa loquitur.

The DPA ordered the public insurance body to conduct a new data-privacy impact assessment (DPIA) by October 31, 2018, and to implement appropriate security measures in line with its ruling by October 31, 2019. While no immediate fines were assessed, the DPA ordered that fines of €150,000 ($170,000) would be assessed against the public insurance body for every month of delay in complying with its order -- up to a maximum of six months' worth of fines.

Also in July, Portugal's DPA privately issued a GDPR fine of €400,000 ($450,000) against a hospital for allegedly allowing hospital-system users "unrestricted" access to PHI via temporary accounts. The hospital has announced its intent to appeal.

This not-yet-finalized six-figure fine, however, may so far be the exception as opposed to the rule.

Austria fines first
Only a couple of publicly levied fines for GDPR violations have come down from DPAs thus far. The first EU member state to publicly issue a fine under GDPR appears to have been Austria. This is no big surprise given the nation's recent history; in addition to being home to privacy activist and serial litigant Max Schrems (whose legal crusade against Facebook led to the fall of the EU-US Safe Harbor Principles), Austria was the only EU member state to vote against GDPR -- for not being strict enough.

In the instant case, Austria fined a small business under GDPR for installing a CCTV camera that recorded part of a public way -- without sufficient indication that there was a camera recording passersby. The fine, however, was modest -- €4,800 ($5,500).

DPAs decline to compete on fines
More recently, Germany's DPA announced that it had issued a GDPR fine against Knuddels -- a German social-networking site -- after the company suffered a data breach in which a minimum of 320,000 user credentials (and possibly as many as 1.8 million) were stolen. The fine amounted to €20,000 ($23,000) -- at first, a seemingly paltry sum considering that Knuddels had stored user credentials in plaintext (a veritable cybersecurity facepalm, with or without Article 32 of GDPR). This appears to have been Knuddels's only GDPR sin, however. The fine was mitigated because, according to Germany's DPA, Knuddels took swift and exemplary action in "immediately and comprehensively" notifying the DPA of the breach in compliance with GDPR, kept users informed in a timely manner, and extensively improved its IT-security posture in collaboration with the DPA.

Stefan Brink, Germany's State Commissioner for Data Protection and Freedom of Information, commented that his organization is not interested in competing over which DPA can issue the highest fines -- and instead is focused on the overarching goal of improving information security and data privacy.

This corresponds with comments last year from his opposite number in the UK, Elizabeth Denham, when she downplayed the hullaballoo over "massive" GDPR fines.

"[GDPR] is not about fines," wrote Denham in a since taken-down blog post (archived here). "It's about putting the consumer and citizen first. We can't lose sight of that."

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.

(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.