Ineffective technical safeguards as a reason for imposing a fine
The President of the Personal Data Protection Office has imposed an administrative fine in the amount of PLN 30 000 on one mayor for selecting ineffective security safeguards for the IT system used and for failing to test them.
The supervisory authority has received a data breach notification caused by a ransomware attack resulting from the use of a vulnerability existing in an IT system.
During the proceeding and after analysing the evidence, the DPA found that the actual cause of the ransomware attack was an outdated virus database. Moreover, the controller conducted a risk analysis in an unreliable manner (especially with regard to backups), and implemented incomplete technical and organisational measures to guarantee security in the processing of personal data.
As a result, the security of the IT system used by the controller was breached and the data processed in the system was then encrypted using malware.
Appropriate technical safeguards
One of the important elements that affect the security of personal data is to ensure that the software used to process the data has the latest version made available by its developer. Such software has all updates issued by the developer, including those relating to security and software performance patches.
During the proceeding it was established that the operating system, installed by the controller on the server at the time of the data breach, was not supported by the developer.
In the opinion of the Polish supervisory authority, the use of IT systems for the processing of personal data after their developer's technical support has ended significantly reduces their security level.
The controller, prior to the occurrence of the personal data breach, identified the risk associated with the use of outdated software, but did not update it, and therefore did not itself comply with the procedures of which it was the author.
The proceeding indicated that personal data processed by the controller had been encrypted, resulting in a loss of accessibility to the controller's databases.
However, the controller's backup policy and practice did not ensure that processing systems and services were available and that personal data could be quickly restored and accessed in the event of a breach. As it was identified, the server on which the additional copy of the data was to be made had crashed, making it impossible to quickly restore the data on it. The controller only recovered the data after almost three months.
The technical measures adopted by the controller to protect personal data adequately were in no way tested, measured and evaluated by the Mayor to verify their effectiveness. During the course of the proceeding, the controller was not able to demonstrate that the solutions applied were sufficient to ensure the security of the data processed. Furthermore, the controller did not provide evidence that it performs regular testing after the personal data breach.
Once again, it should be recalled that testing, measuring and evaluating the safeguards in place, must be done on a regular basis, not on a one-off basis.