DPC (Ireland) - IN-21-6-2: Difference between revisions

From GDPRhub
(Changes to structure to set out the arguments and issues more clearly, minor grammar/narrative changes.)
Line 61: Line 61:
}}
}}


A Controller was fined €15,000 for failing to implementing appropriate technical and organisational measures and ensuring “checks and balances” in respect of a change to data processing when undertaking a new project.
A courier services company contracted an IT firm to conduct changes to its internal reporting system and provide access to the tax authorities. During this process a data breach occured and the controller was subsequently fined €15,000 for the failure to implement appropriate technical and organisational security measures.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Controller engaged a third party provider - IT software contractors (Contractor) to undertake a "Brexit project" which aimed to provide Her Majesty’s Revenue & Customs (HMRC) with access to their internal reporting system to facilitate declarations of duty and VAT. The Contractor immediately began facilitating access to the reports for external review and made changes within the system and, during this work, the server which housed all the data became exposed to the public internet.
This case concerns A&G Couriers, a company providing security services, (the controller) which engaged a third party IT software contractor to undertake a "Brexit project". This project was aimed at providing the UK tax authority (Her Majesty’s Revenue & Customs HMRC) with access to their internal reporting system to facilitate declarations of duty and VAT.  
It was suggested by the Controller that due to insufficient checks on security patches, user restrictions and access controls by the Contractor, the configuration of the affected server was done incorrectly, and the IP address of the affected server was inadvertently exposed following the implementation of the systems changes. An unknown individual gained access to the exposed server and exfiltrated the personal information pertaining to a large number of data subjects.


For a total of 2 days, the servers, which housed in total, the unencrypted personal data of 446,143 data subjects, were publicly available. This included their names, home addresses, email addresses and mobile numbers. The Controller further clarified that each of these categories of personal data may not be fully present in each record affected by the personal data breach, since the data collected is client specific and not all fields are mandatory. The hacker was able to access and exfiltrate the records of 10,000 data subjects in total.


=== Holding ===
The Contractor immediately began facilitating access to the reports for external review and, while these changes to the system were being made, the server which housed all the data became exposed to the public internet. It was suggested by the Controller that – due to insufficient checks on security patches, user restrictions and access controls by the Contractor – the configuration of the affected server was implemented incorrectly, and the IP address of the affected server was inadvertently.
Article 32 obligations to Controllers and Processors:
 
Though the Controller attempted to argue that in the course of the personal data breach handling process that in some cases it was a controller, in some a joint controller and in some other a processor. The Data Protection Commission held that the obligation to implement appropriate technical and organisational measures pursuant to 32(1) GDPR applies equally to Controllers and Processors. As the Controller identified itself as holding either of those roles in respect of the personal data, the obligation to comply with [[Article 32 GDPR#1|Article 32(1) GDPR]] applies to all of those circumstances.  
 
For a total of two days, the servers, which housed in total, the unencrypted personal data of 446,143 data subjects, were publicly available. This included their names, home addresses, email addresses and mobile numbers. The Controller further clarified that each of these categories of personal data may not be fully present in each record affected by the personal data breach, since the data collected is client specific and not all fields are mandatory.
 
 
In addition, an unknown individual gained access to the exposed server and exfiltrated the personal information pertaining to a large number of data subjects. The hacker was able to access the records of 10,000 data subjects in total.
 
 
In submissions to the DPC, the controller outlined their account of the incident and made a number of arguments in its defence. Firstly, the controller asserted that, depending on the specific data, it was in some cases a controller, and in others a processor, and so the duty to implement appropriate measures was not placed upon them in all circumstances.




Categories and types of personal data:
Secondly, the controller stated that the servers contained some or all of the following categories of personal data: names, home addresses, email addresses and mobile numbers (as dependent on client requirements). The controller submitted that, in an objective assessment, the risks posed by the Controller’s processing at the time of the personal data breach involved low to moderate risks, both in likelihood and severity, to the rights and freedoms of data subjects. It is admitted that there was a significant quantity of personal data related to a large number of data subjects processed and stored for a period of thirty (30) days by the Controller, however, this personal data may be considered at the lower end of the scale in terms of sensitivity.
It was highlighted above that the servers contained some or all of the following categories of personal data: names, home addresses, email addresses and mobile numbers as dependent on client requirements. In an objective assessment, the risks posed by the Controller’s processing at the time of the personal data breach involved low to moderate risks both in likelihood and severity to the rights and freedoms of data subjects. It is admitted that there was a significant quantity of personal data related to a large number of data subjects processed and stored for a period of thirty (30) days by the Controller, this personal data may be considered at the lower end of the scale in terms of sensitivity.  


However, pursuant to [[Article 32 GDPR#1d|Article 32(1)(d) GDPR]] and in light of the obligation to regularly evaluate the effectiveness of technical and organisational measures, it is clear the Controller should have conducted a risk assessment before initiating the process of reviewing access to its internal server in the context of the "Brexit project" in order to identify any possible risk arising from this specific change to the system. Its failure to do so aggravated the
=== Holding ===
likelihood regarding the risks to the rights and freedoms of data subjects. Having an urgent project does not allow for any exceptions to the obligation to implement appropriate security measures and to follow policies and procedures that have been implemented.
Issuing its final decision, the DPC addressed the two points put forward by the controller, before setting out findings concerning the technical and organisational security measures in place at the time of the breach.


Lack of security measures:
Firstly, regarding the issue of whether A&G Couriers should be considered a controller or processor, the DPC held that the obligation to implement appropriate technical and organisational measures pursuant to Article 32(1) GDPR applies equally to Controllers and Processors. As the Controller identified itself as holding either of those roles in respect of the personal data, the obligation to comply with [[Article 32 GDPR|Article 32(1) GDPR]] applies to all of those circumstances.  
At the time of the personal data breach, the personal data stored in the was not encrypted and the security controls were not designed having regard to the possibility that the affected data could be viewed by an external entity. Due to the change in the audience to whom the reporting system was exposed to, the new risks associated with such a change ought to have been firstly assessed.


Accordingly, risk-appropriate measures such as encryption and comprehensive access control procedures should have been implemented before the personal data breach. In that regard, the Controller confirmed that the risk assessment regarding the changes to the systems was not performed, and it failed to implement appropriate mitigating measures.


Not following internal procedures and processes:
Secondly, concerning the categories of personal data and risk to the rights and freedoms of data subjects, pursuant to [[Article 32 GDPR|Article 32(1)(d) GDPR]] and in light of the obligation to regularly evaluate the effectiveness of technical and organisational measures, it is clear the Controller should have conducted a risk assessment before initiating the process of reviewing access to its internal server in the context of the "Brexit project". This would have enabled them to identify any possible risk arising from this specific change to the system. The failure to do so aggravated the likelihood of a risk to the rights and freedoms of data subjects. Having an urgent project does not allow for any exceptions to the obligation to implement appropriate security measures, and to follow policies and procedures that have been implemented.
Contrary to its own existing policies and procedures at the time of the personal data breach, the system changes were signed off verbally by a member of the Controllers IT team and without the approval of the Data & Information Security representative. Furthermore, whilst the Controller appears to have provided the verbal approval, it was considered that the procedure for the approval of the "Brexit project" was not properly followed according to the Controllers Data Protection Policies and Procedures in one crucial respect: the staff did not request the approval of the Data & Information Security representative and instead signed off verbally themselves disregarding the applicable procedure.  


Moreover, the lack of the risk assessment negatively impacted the Controller’s ability to identify and recognise the risks associated with this change. Therefore, the Data Protection Commission considered that the organisational measures implemented by the Controller were not appropriate as they did not follow its own Data Protection Policies and Procedures, nor does it appear that there were any "checks and balances" to ensure that these policies and procedures were fuly followed by their staff.


Third, on the issue of technical measures the DPC found that, at time of the personal data breach, the personal data stored was not encrypted and the security controls were not designed with regard to the possibility that the affected data could be viewed by an external entity. Due to the change in the parties to whom the reporting system was exposed to, the new risks associated with such a change ought to have been firstly assessed. Accordingly, risk-appropriate measures such as encryption and comprehensive access control procedures should have been implemented before the personal data breach. In that regard, the Controller confirmed that the risk assessment regarding the changes to the systems was not performed, and it failed to implement appropriate mitigating measures.




- The Controller was issued with a reprimand in respect of the infringement emphasising the requirement to take all relevant steps to ensure continuous and future compliance with Article 32(1) of the GDPR.
Fourth, and finally, the DPC made findings regarding the implementation of organisational measures. In doing so it was held that, contrary to the controller’s existing policies and procedures at the time of the personal data breach, the system changes were signed off verbally by a member of the Controller’s IT team and without the approval of the Data & Information Security representative. Moreover, the lack of the risk assessment negatively impacted the Controller’s ability to identify and recognise the risks associated with this change. Therefore, the DPC considered that the organisational measures implemented by the Controller were not appropriate as they did not follow its own Data Protection Policies and Procedures. The DPC also observed a lack of any "checks and balances" to ensure that these policies and procedures were fully followed by their staff.


- An administrative fine on the Controller in the amount of €15,000 in respect of the infringement.


The Controller has a right of appeal.
In light of the above, the controller was issued with a reprimand in respect of the infringement, emphasising the requirement to take all relevant steps to ensure continuous and future compliance with Article 32(1) of the GDPR. The DPC also issued an administrative fine on the Controller in the amount of €15,000.


== Comment ==
== Comment ==

Revision as of 12:13, 21 March 2023

DPC - IN-21-6-2
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 30.12.2022
Fine: 15000 EUR
Parties: A&G Couriers Limited T/A Fastway Couriers (Ireland)
National Case Number/Name: IN-21-6-2
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Data Protection Commission (in EN)
Initial Contributor: Sainey Belle

A courier services company contracted an IT firm to conduct changes to its internal reporting system and provide access to the tax authorities. During this process a data breach occured and the controller was subsequently fined €15,000 for the failure to implement appropriate technical and organisational security measures.

English Summary

Facts

This case concerns A&G Couriers, a company providing security services, (the controller) which engaged a third party IT software contractor to undertake a "Brexit project". This project was aimed at providing the UK tax authority (Her Majesty’s Revenue & Customs – HMRC) with access to their internal reporting system to facilitate declarations of duty and VAT.


The Contractor immediately began facilitating access to the reports for external review and, while these changes to the system were being made, the server which housed all the data became exposed to the public internet. It was suggested by the Controller that – due to insufficient checks on security patches, user restrictions and access controls by the Contractor – the configuration of the affected server was implemented incorrectly, and the IP address of the affected server was inadvertently.


For a total of two days, the servers, which housed in total, the unencrypted personal data of 446,143 data subjects, were publicly available. This included their names, home addresses, email addresses and mobile numbers. The Controller further clarified that each of these categories of personal data may not be fully present in each record affected by the personal data breach, since the data collected is client specific and not all fields are mandatory.


In addition, an unknown individual gained access to the exposed server and exfiltrated the personal information pertaining to a large number of data subjects. The hacker was able to access the records of 10,000 data subjects in total.


In submissions to the DPC, the controller outlined their account of the incident and made a number of arguments in its defence. Firstly, the controller asserted that, depending on the specific data, it was in some cases a controller, and in others a processor, and so the duty to implement appropriate measures was not placed upon them in all circumstances.


Secondly, the controller stated that the servers contained some or all of the following categories of personal data: names, home addresses, email addresses and mobile numbers (as dependent on client requirements). The controller submitted that, in an objective assessment, the risks posed by the Controller’s processing at the time of the personal data breach involved low to moderate risks, both in likelihood and severity, to the rights and freedoms of data subjects. It is admitted that there was a significant quantity of personal data related to a large number of data subjects processed and stored for a period of thirty (30) days by the Controller, however, this personal data may be considered at the lower end of the scale in terms of sensitivity.

Holding

Issuing its final decision, the DPC addressed the two points put forward by the controller, before setting out findings concerning the technical and organisational security measures in place at the time of the breach.

Firstly, regarding the issue of whether A&G Couriers should be considered a controller or processor, the DPC held that the obligation to implement appropriate technical and organisational measures pursuant to Article 32(1) GDPR applies equally to Controllers and Processors. As the Controller identified itself as holding either of those roles in respect of the personal data, the obligation to comply with Article 32(1) GDPR applies to all of those circumstances.


Secondly, concerning the categories of personal data and risk to the rights and freedoms of data subjects, pursuant to Article 32(1)(d) GDPR and in light of the obligation to regularly evaluate the effectiveness of technical and organisational measures, it is clear the Controller should have conducted a risk assessment before initiating the process of reviewing access to its internal server in the context of the "Brexit project". This would have enabled them to identify any possible risk arising from this specific change to the system. The failure to do so aggravated the likelihood of a risk to the rights and freedoms of data subjects. Having an urgent project does not allow for any exceptions to the obligation to implement appropriate security measures, and to follow policies and procedures that have been implemented.


Third, on the issue of technical measures the DPC found that, at time of the personal data breach, the personal data stored was not encrypted and the security controls were not designed with regard to the possibility that the affected data could be viewed by an external entity. Due to the change in the parties to whom the reporting system was exposed to, the new risks associated with such a change ought to have been firstly assessed. Accordingly, risk-appropriate measures such as encryption and comprehensive access control procedures should have been implemented before the personal data breach. In that regard, the Controller confirmed that the risk assessment regarding the changes to the systems was not performed, and it failed to implement appropriate mitigating measures.


Fourth, and finally, the DPC made findings regarding the implementation of organisational measures. In doing so it was held that, contrary to the controller’s existing policies and procedures at the time of the personal data breach, the system changes were signed off verbally by a member of the Controller’s IT team and without the approval of the Data & Information Security representative. Moreover, the lack of the risk assessment negatively impacted the Controller’s ability to identify and recognise the risks associated with this change. Therefore, the DPC considered that the organisational measures implemented by the Controller were not appropriate as they did not follow its own Data Protection Policies and Procedures. The DPC also observed a lack of any "checks and balances" to ensure that these policies and procedures were fully followed by their staff.


In light of the above, the controller was issued with a reprimand in respect of the infringement, emphasising the requirement to take all relevant steps to ensure continuous and future compliance with Article 32(1) of the GDPR. The DPC also issued an administrative fine on the Controller in the amount of €15,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Inquiry into A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022

Inquiry into A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022

Final Decision: A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022