Blog

Incorrect processing of personal data after a cyberattack can result in fine!

Companies can breach European privacy laws if they mishandle personal data after a cyber attack, according to a recent ruling in Ireland. Ireland’s Data Protection Commissioner has fined Dublin-based medical group Centric Health Ltd. €460,000, equivalent to $485,000, citing the inadvertent destruction of approximately 2,500 patient files and other data deletions following a 2019 ransomware attack.


The punishment highlighted the risks companies face in complying with European data privacy requirements – even as they rush to repair systems and recover information after a cyber breach.

European data protection regulators have cited cybersecurity failures in recent investigations – in some cases prior to or in response to a cyberattack – that led to privacy breaches. In November, a French regulator linked cybersecurity practices to a breach of privacy at Discord Inc. and fined the chat service €800,000.

The UK regulator fined £4.4m, or $5.2m, against UK construction company Interserve Group Ltd. in October, and said the company’s poor security measures had left data on around 113,000 current and former employees were vulnerable to a ransomware attack in 2020. Interserve argued that the Covid-19 pandemic prevented employees from recovering their data quickly because they were unable to come to the office. The regulator said Interserve’s lack of adequate resources and offline data backups played a bigger role.

“Your responsibilities in dealing with the GDPR are not just about prevention. It’s also about how you respond to and protect individuals’ rights once there is a breach.”


For more information:

https://www.wsj.com/articles/inadvertent-data-destruction-after-a-cyberattack-can-violate-eu-privacy-rules-a796d8e?page=1

Latest blog posts

Incorrect processing of personal data after a cyberattack can result in fine!

EDPB adopts final report of outcome of the cookie banner task force

The European Commission will monitor proceedings before data protection authorities in the EU