DPC (Ireland) - IN-21-2-5

From GDPRhub
DPC - IN-21-2-5
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 19/08/2022
Decided: 20/12/2022
Published: 20/12/2022
Fine: 100,000 EUR
Parties: Virtue Integrated Elder Care Ltd
National Case Number/Name: IN-21-2-5
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: DPC (in EN)
Initial Contributor: PL

The Irish DPA fined a company, which manages nursing homes, €100,000 following a data breach. The company had failed to implement appropriate technical and organisational security measures, in violation of Articles 5(1)(f) and 32(1) GDPR.

English Summary

Facts

Virtue Integrated Elder Care Ltd ("VIEC"), the controller, operates and manages five nursing homes in Dublin, Ireland. On 15 August 2020, VIEC became aware through a report to their IT helpdesk that one of the users of their internal systems was being blocked from sending emails. The controller subsequently discovered that the email address of one of its managers had been subject to a phishing attack, and that emails had been rerouted to a third party Gmail account.

On 19 August 2019, VIEC notified the Irish DPA (the DPC) of a personal data breach. Based on initial analysis of the breach notification and subsequent documentation provided during the breach handling process, the DPC considered that the matter concerned a possible “breach of security potentially leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” by VIEC. As a result, the DPC commenced an investigation.

In a commencement letter, the DPC informed VIEC that their inquiry would examine whether or not the company discharged its obligations in connection with the subject matter of the personal data breach and determine whether or not any provision(s) of data protection law had been violated by VIEC in that context.

The scope of the inquiry was stated to include the following. Firstly, the steps taken by VIEC to comply with the principle of integrity and confidentiality pursuant to Article 5(1)(f) GDPR. Secondly, the technical and organisational measures taken to ensure security of processing pursuant to Article 32(1) GDPR. Thirdly, the ability of the controller to demonstrate ongoing confidentiality, integrity, availability of personal data pursuant to Article 32(1)(b) GDPR. Fourth, the process employed by VIEC for regularly testing the effectiveness of measures for ensuring appropriate security pursuant to Article 32(1)(d) GDPR. Fifth, and finally, the ability of VIEC to demonstrate that it had assessed the risk to processing special category information.

As part of the investigation the security provider for VIEC, ‘Ortus’, conducted a report which determined that the most likely root cause of the breach was that the credentials of a user account at one of the nursing homes were captured on a fake website. The link to that fake website was likely received in a phishing email. The original email that delivered the malicious link in question was not identified by the security provider. The email account was thereby accessed by an unauthorised third party, using the captured credentials. This resulted in unauthorised access to stored emails, and allowed the bad actor to set up email forwarding of all inbound emails to a third party email account. In addition, this issue had been ongoing since 18 July 2020.

The DPC prepared an Inquiry Issues Paper to document the relevant facts of the case, and invited submissions from VIEC, in particular regarding any inaccuracies and/or incomplete facts. Outlining the mitigating factors to be considered, VIEC explained that the assigned DPO was aware of the requirement to report the breach within 72 hours and that this timeline had become exhausted by the time the DPO became aware of the breach. The DPO hastily notified the DPC of the breach and supplemented this notification with additional information. The DPC noted this is an example of good practice on the part of a controller in this regard. In another proposed mitigating factor, VIEC submitted that password for the affected account was reset and a forced logout was performed.

The controller also confirmed, among other things, that 213 data subjects had their personal data compromised, and that 129 of these residents had special category data compromised; 117 of these individuals had health data compromised and 12 had biometric data compromised.

On 11 November 2022 the DPC provided a draft decision to VIEC, and the controller was invited to make further submissions on the proposed infringements. In its response to the draft decision, VIEC asserted that it considered the proposals too excessive, and made a range of submissions in support of their position. VIEC stressed the impact of the Covid-19 pandemic on its ability to implement data security provisions. In particular, they explained that senior managers were redirected to frontline roles, at a time of increased regularity of phishing attacks.

Holding

Following these initial steps (commencement letter, inquiry issues paper, draft decision, other relevant materials, submissions made by VIEC) the DPC issued its final decision. This decision identified three issues for determination, and proceeded to analyse these issues in turn. Firstly, an assessment of the risks of varying likelihood and severity for the rights and freedoms of natural persons of natural persons associated with the processing in question, having regard to VIEC’s own assessment of the risks. Secondly, whether the measures implemented by VIEC prior to the breach were appropriate to ensure ongoing confidentiality, particularly concerning special category data. Thirdly, whether these measures were appropriate in light of any obligations to implement a process for regularly testing, assessing and evaluating the effectiveness of its technical and organisational measures in respect of the security of the system.

With regard to the first question (assessment of the risks), the DPC observed the high number of data subjects involved and the sensitive nature of the data processed, and thus determined that the processing of data by VIEC is to be considered high risk. In addition, there were no specific references to the data protection in the company’s 'risk management policy'. According to the DPC, the VIEC’s use of its email system, and in particular the storing of biometric data and the lack of appropriate technical measures, created the risk of unauthorised access and disclosure. This constituted a high risk to the rights and freedoms of natural persons in terms of both likelihood and severity.

On the second issue, (measures implemented by VIEC to address the risks) the DPC made a number of observations. With regard to data governance,  VIEC's data protection policy appeared to be outdated since it referred to the Data Protection Acts of 1988 and 2003 and did not make reference to the GDPR or the Data Protection Act 2018. Similarly, the Employee Data Policy did not refer to the GDPR. This would suggest that these policies were not reviewed or updated prior or after the GDPR’s entry into force. Furthermore, there was no evidence that VIEC had provided phishing training to its employees prior to the data breach taking place. Moreover, in terms of technical measures, the majority of user passwords were not set to expire and VIEC did not implement multi-factor authentication for users logging into accounts. There was also no journaling in place for emails at the time of the breach, and the controller was therefore unable to search for the original phishing email. Furthermore, with reference to VIEC’s submissions above regarding the impact of the Covid-19 pandemic, the DPC noted that, while the pandemic brought additional challenges, the shortcomings in the controllers processing of data and data security have existed since the implementation of the GDPR.

Addressing the third and final question (processes to test, assess and evaluate the effectiveness of measures) the DPC observed an overall lack of any technical measures to ensure ongoing confidentiality, integrity, availability, or resilience. In terms of organisational measures, VIEC had developed policies to avoid and minimise risk. The company was therefore clearly aware that the use of its email system for the storage and transfer of personal and special category data may present risks to the integrity of the data. However, no follow up action was taken to ensure that these policies were being followed or were effective. Overall, the lack of appropriate testing of technical and organisational measures, led the DPC to conclude that they did not meet the standard required by Articles 5(1)(f) and Article 32 GDPR.

The DPC concluded that the processing by VIEC failed to ensure that the personal data was processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.  The processing by the author of the phishing attack was unauthorised and unlawful. The processing by VIEC itself of personal and special category data on its email system prior to the phishing attack, without adequate security measures, placed such data at risk of being unlawfully accessed.

The DPC further added that the adequate technical and organisational measures that may have been employed by VIEC could have included, among others, appropriate encryption of personal data being transferred over external networks, and provision of suitable phishing training. Regular testing of the measures employed would also go some way to ensuring the security of processing.

Therefore, the DPC held that VIEC infringed Articles 5(1)(f) and 32(1) GDPR, and made an order pursuant to Article 58(2)(d) GDPR, obliging VIEC to bring its processing operations into compliance with the GDPR; and also issued a reprimand upon the controller pursuant to Article 58(2)(b) GDPR. In accordance with article 83 GDPR, and taking into account the factors outlined in Article 58(2)(i) GDPR, the DPC also imposed an administrative fine of €100,000.

Comment

At page 15 of the final decision (paras 62 et seq) the DPC outlines the questions which arise for determination, and lists the following five issues:

(a)   an assessment of the risks of varying likelihood and severity for the rights and freedoms of natural persons of natural persons associated with the processing in question, having regard to VIEC’s own assessment of the risks;

(b)  an evaluation of the adequacy of the risk assessment that VIEC carried out prior to the breach;

(c)   whether the measures implemented by VIEC prior to the breach were appropriate to ensure ongoing confidentiality, particularly concerning special category data;

(d)  whether these measures were appropriate in light of any obligations to implement a process for regularly testing, assessing and evaluating the effectiveness of its technical and organisational measures in respect of the security of the system;

(e)    whether the measures implemented by the VIEC prior to and after the breach were appropriate to demonstrate compliance with the GDPR.

Thereafter, in the analysis of the issues for determination, the DPC’s analysis is split into 3 sections: (a) assessment of the risks (a combination of a and b above); (b) measures implemented by VIEC to address the risks (appears to be a combination of c and e above); and (c) process to test, assess, and evaluate effectiveness of measures (aligns with d above).

While this does not have an overall substantive impact on the substantive outcome it is worthwhile to mention here, as it does cause some confusion when reading the final decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.