Companies can breach European privacy laws if they mishandle personal data after a cyber attack, according to a recent ruling in Ireland. Ireland’s Data Protection Commissioner has fined Dublin-based medical group Centric Health Ltd. €460,000, equivalent to $485,000, citing the inadvertent destruction of approximately 2,500 patient files and other data deletions following a 2019 ransomware attack.
The punishment highlighted the risks companies face in complying with European data privacy requirements – even as they rush to repair systems and recover information after a cyber breach.
European data protection regulators have cited cybersecurity failures in recent investigations – in some cases prior to or in response to a cyberattack – that led to privacy breaches. In November, a French regulator linked cybersecurity practices to a breach of privacy at Discord Inc. and fined the chat service €800,000.
The UK regulator fined £4.4m, or $5.2m, against UK construction company Interserve Group Ltd. in October, and said the company’s poor security measures had left data on around 113,000 current and former employees were vulnerable to a ransomware attack in 2020. Interserve argued that the Covid-19 pandemic prevented employees from recovering their data quickly because they were unable to come to the office. The regulator said Interserve’s lack of adequate resources and offline data backups played a bigger role.
“Your responsibilities in dealing with the GDPR are not just about prevention. It’s also about how you respond to and protect individuals’ rights once there is a breach.”
For more information:
