GDPR News

59,000 Data Breaches Reported to GDPR Supervisory Authorities: 91 Fines Issued

A new report from DLA Piper indicates 59,430 data breaches have been reported to EU supervisory authorities since the GDPR compliance deadline of May 25, 2018. The majority of the data breaches have been reported in the Netherlands (15,400), Germany (12,600), and the United Kingdom (10,600).

The Netherlands saw the highest number of breaches per capita, followed by Ireland, and Denmark. It is worth noting that many non-EU companies have registered bases in EU member states and any data breaches experienced by them count toward the total for the country where their European HQ is established. Many non-EU firms, including Google, Facebook, Twitter, and Microsoft, have chosen Ireland for their European base.

Obtaining accurate numbers for data breach reports was a challenge. Official EU figures suggest that there had only been 41,502 data breaches reported between the compliance deadline and January 28, 2019; however, those figures do not include Norway, Iceland, and Lichtenstein, which are not members of the EU but are part of the European Economic Area (EEA). The official figures also only included data breaches reported in 21 of the 28 member states.

The data for the DLA Piper report came from breach notifications filed in 23 EU member states and by EEA members. Data breach reports have not been made public in Bulgaria, Croatia, Estonia, Lithuania, and Slovakia.

The number of data breaches reported so far appears higher than before GDPR came into effect. That does not mean there has been an increase in data breaches, only that more companies are reporting breaches and breaches are also being reported more quickly. GDPR requires breach notifications to be issued within 72 hours of the discovery of a breach.

Financial Penalties for GDPR Violations and Data Breaches

DLA Piper has been tracking GDPR fines since the compliance deadline. To date, 91 financial penalties have been issued. Financial penalties can be issued for any violation of GDPR. In addition to data breaches, GDPR supervisory authorities investigate complaints about privacy violations. It was such a complaint that resulted in the largest GDPR violation penalty issued to date: The €50 million ($57 million) fine for Google issued by the French supervisory authority, CNIL.

The supervisory authorities in Germany have been the most active enforcers of GDPR since the May 25, 2018 compliance deadline. 64 of the 91 fines have been issued in Germany. Those fines include the two largest financial penalties for companies that have experienced data breaches.

The chat platform Cuddles was fined €20,000 ($22,700) by the German Data Protection Authority LfDI for storing users’ passwords in clear text. LfDI also issued an €80,000 ($91,000) financial penalty to an organization that published health information on the internet – The second largest GDPR data breach fine to date.

Only a relatively small number of fines have been issued in relation to data breaches; however, many supervisory authorities are struggling with the volume of breach notices they have received and there is a considerable backlog to get through. Some data breaches reported in 2018 may still result in fines.

DLA Piper notes that the majority of the fines issued to date have been relatively low; much lower than the maximum penalty of €20 million or 4% of global annual turnover, whichever amount is higher. DLA Piper anticipates there will be several fines of tens or even hundreds of millions of euros issued in 2019 once the supervisory authorities have cleared the backlog of data breach reports and GDPR complaints.

The post 59,000 Data Breaches Reported to GDPR Supervisory Authorities: 91 Fines Issued appeared first on HIPAA Journal.

GDPR Incorporated into the HITRUST CSF

HITRUST has combined the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST HSF) and is working toward the creation of a single framework and assessment covering all regulatory requirements.

Many countries have introduced new data privacy and security regulations that require companies to implement new policies, procedures, and technologies to keep consumers’ and customers’ data private and confidential. Organizations that wish to conduct business globally must ensure they comply with these country-specific regulations and should conduct assessments to make sure they are fully compliant. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater.

Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible.

“As countries around the world continue to adopt and advance data protection laws, the challenge of doing business on a global scale grows increasingly complex,” said HITRUST chief privacy officer, Anne Kimbol. “Many countries have their own unique regulatory requirements, creating costs and challenges for organizations to determine if they are compliant to conduct business globally.”

HITRUST has completed the formal application process to the Irish Data Protection Commission and the EU Data Protection Board to have the HITRUST CSF officially recognized as meeting GDPR certification standards and hopes to be confirmed as an accredited certification body for GDPR.

In addition to GDPR, HITRUST has incorporated the Singapore Personal Data Protection Act (PDPA) into the HITRUST HSF and is currently working toward becoming an Accountability Agent under Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Procedures for Processing programs.

“Businesses leveraging the HITRUST Approach will be able to leverage a single HITRUST CSF Assessment to report their security, privacy and compliance posture to various audiences globally,” explained HITRUST VP of standards and analysis, Bryan Cline.

The post GDPR Incorporated into the HITRUST CSF appeared first on HIPAA Journal.

Google Hit With €50 Million GDPR Violation Penalty

Google has been hit with a €50 million Euro ($56.8 million) GDPR violation penalty, the largest GDPR violation penalty issued to date.

The French GDPR supervisory authority, the National Data Protection Commission (CSIL), investigated suspected GDPR violations after receiving complaints from two privacy rights groups; La Quadrature du Net and noyb. The first of the complaints was filed on the GDPR compliance deadline, May 25, 2018.

The complaints were related to how Google processes user data for the personalizing ads. It was argued that Google did not have a valid legal basis for processing user information and had not obtained clear consent to do so.

While information about its data processing activities has been made available to users, the information is spread across several documents, so it is unclear to consumers how personal data is being processed. According to CSIL, a consumer would need to take five or six actions in order to find out essential information about Google’s processing activities related to personalized ads and, as such, users would not be able to understand how Google was processing their data.

While consent was obtained, the consent form was pre-checked, requiring users only to click to accept, which is also a violation of GDPR. When obtaining consent, users are required to manually tick check boxes when providing consent. Consent must be clearly provided through an explicit opt-in process.

The lack of transparency about how user data will be processed in relation to serving personalized adverts left consumers in the dark about the “particularly massive and intrusive” data processing that takes place in order to serve personalized ads, according to CSIL.

The extent of the GDPR violations, which are ongoing, warranted a substantial fine. The maximum penalty for serious violations of GDPR is €20 million ($22.73 million) or up to 4% of global annual turnover, whichever is greater. While the €50 million fine is substantial, it falls well short of the maximum possible fine that could have been issued: Around $4.4 billion based on an annual turnover of $110.8 billion in 2017.

The complaints to the CSIL are just two of many that have been filed against Google since the GDPR compliance deadline. Complaints have been submitted by consumer groups in several EU countries over what are viewed as deceptive privacy practices. If those complaints are substantiated, further fines can be expected.

Google has responded to the fine by issuing a statement confirming that it is deeply committed to meeting the high standards of transparency, control, and consent that is required by GDPR and will be studying the decision of CSIL to determine what steps must be taken next.

The substantial GDPR violation penalty sends a message to large technology firms and other entities that collect or process the data of EU residents that compliance with all aspects of GDPR requirements is mandatory and violators will face severe fines for noncompliance.

The post Google Hit With €50 Million GDPR Violation Penalty appeared first on HIPAA Journal.

Federal GDPR-Style Data Privacy Bill Introduced

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act.

The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm.

The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions.

As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data.

The bill would also require companies to disclose the names of the persons or companies to whom users’ personal data have been sold to and individuals/companies that have been licensed to use personal data.

There are notable differences between GDPR and the Data Care Act. The latter does not include the right to restrict or object to the processing of personal information, there are no data breach notification requirements, a Data Protection Officer does not need to be appointed, and there is no requirement for risk assessments related to high-risk processing activities.

If passed, the Data Care Act will be enforced by the Federal Trade Commission which will be given the authority to issue financial penalties to companies that fail to comply. State attorneys general will also be authorized to bring civil actions against firms for noncompliance.

GDPR failures can attract a maximum penalty of €20 million or 4% of global annual turnover, whichever is greater. The maximum penalty for Data Care Act violations is $16,500 per covered person.

The bill is primarily concerned with currently unregulated online companies, ISPs and FCC common carriers, although it also has implications for regulated industries such as the financial services and healthcare.

Health data will be covered by the Data Care Act in three categories: Health data related to the provision of medical services related to the physical and mental health of an individual; Health data processed in relation to the provision of health and wellness services; and health data that is derived from medical tests, including genetic and biological samples. The FTC will have the authority to further define the types of information classed as health data.

Individuals will be given the right to dispute the completeness of their personal health information, although according to the bill, “[The Data Care Act] does not preempt laws that address the collection, use, or disclosure of health information covered by the Health Insurance Portability and Accountability Act or financial information covered by Gramm-Leach-Bliley Act.”

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” explained Senator Schatz.

“For too long, Americans’ digital privacy has been far from guaranteed, and it is time for Congress to pass legislation providing comprehensive protections for personal information,” wrote the Center for Democracy and Technology in a press release announcing the publication of a discussion draft of the bill.

In addition to Senator Schatz, the bill has been co-sponsored by Senators Maggie Hassan (D-N.H.), Michael Bennet (D-Colo.), Tammy Duckworth (D-Ill.), Amy Klobuchar (D-Minn.), Patty Murray (D-Wash.), Cory Booker (D-N.J.), Catherine Cortez Masto (D-Nev.), Martin Heinrich (D-N.M.), Ed Markey (D-Mass.), Sherrod Brown (D-Ohio), Tammy Baldwin (D-Wis.), Doug Jones (D-Ala.), Joe Manchin (D-W.Va.), and Dick Durbin (D-Ill.).

The discussion draft of the bill can be downloaded from the Center for Democracy and Technology on this link.

The post Federal GDPR-Style Data Privacy Bill Introduced appeared first on HIPAA Journal.

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.

Data Breach Reports and Complaints Have Increased Significantly Post-GDPR

The General Data Protection Regulation (GDPR) provided EU residents with new rights and freedoms and gave EU citizens greater control over the personal information that is collected, processed, and used by companies.

One of the rights given to EU citizens is the ability to submit complaints to the data protection authority when they feel that their personal data is being misused or has not been protected. GDPR also requires companies to disclose certain data breaches within 72 hours of discovery.

Since GDPR came into effect on May 25, 2018, there has been a considerable increase in the number of data breaches reported by companies in Europe.

Data breach reports in the United Kingdom quadrupled in the first three months since GDPR came into effect and in Ireland data breach reports doubled.

A study conducted by Kroll shows there was a 75% increase in data breaches reported to the Information Commissioner (ICO) – The supervisory authority in the United Kingdom – in the past year. The Kroll study showed the ICO had received more than 2,000 data breach reports in the past year that could be attributed to human error, compared to just 292 the previous year.

The most commonly reported breaches were emails sent to incorrect recipients (447 incidents), misdirected letters and faxes containing personal information (441 incidents) and loss or theft of physical records (438 incidents). There were 102 cases of unauthorized accessing of personal information, most commonly due to cyberattacks. The most commonly breached industry was healthcare, accounting for 1,214 of the 2,000 reported incidents.

These figures indicate there has been a major increase in data breaches, since the majority of these breaches were reported prior to the effective date of GDPR, although Kroll suggests the rise is, to a large extent, a result of increased transparency due to GDPR with UK companies choosing to abide by GDPR rules ahead of the deadline for compliance.

Kroll also suggests that there is likely to be a substantial increase in the penalties issued for preventable data breaches, as prior to the implementation of GDPR, the maximum possible fine was £500,000 in the UK. Now that GDPR is in force, the maximum penalty is €20 million – £17,845,000 – or 4% of global annual turnover, whichever is the greater. The risk of a substantial fine on top of the cost of dealing with a breach and repairing reputational damage is likely to see companies pay much more attention to data security and invest more heavily in data protection solutions.

Privacy and data security complaints have similarly increased. ICO figures show data protection complaints from consumers have substantially increased since GDPR came into effect. In the first three months since GDPR came into force, the number of data protection complaints have doubled. Prior to the introduction of GDPR in May, ICO had received 2,310 complaints but that figure jumped to 3,098 complaints in June and 4,214 complaints in July.

There have also been significant increases in complaints in other countries in Europe. The supervisory authority in France received 37% more complaints between May 25 and July 31, 2018 compared to the previous year and in Ireland there has been a 65% increase in data protection complaints since GDPR came into effect.

The post Data Breach Reports and Complaints Have Increased Significantly Post-GDPR appeared first on HIPAA Journal.

Steps to Take to Make a Website GDPR Compliant

If you have a website that can be accessed by EU residents it is likely that you will have make your website GDPR compliant. If you have yet to do so, you could potentially face a substantial fine as the General Data Protection Regulation compliance date was May 25, 2018.

The main purpose of GDPR is to protect the rights and freedoms of EU residents and to give them more control over their personal data, no matter where personal data is collected or processed.

Over the past two years, many businesses have been learning about how GDPR affects websites and websites owners have made changes to ensure their sites are compliant. However, some businesses are unsure how to make a website GDPR compliant and others have ignored GDPR requirements entirely.

Site owners that fail to make a website GDPR compliant can face stiff financial penalties. The penalty for noncompliance with GDPR is up to €20 million or 4% of global annual turnover (whichever is greater) so noncompliance really isn’t an option.

How to Make a Website GDPR Compliant

One of the main requirements to make a website GDPR compliant is to tackle the issue of consent. Information cannot be collected and processed unless consent has been obtained.

While most website owners explain in a privacy policy about information that is collected and how it is processed, under GDPR that is not sufficient. It is no longer possible to state that continued use of the website constitutes consent and agreement with the site’s privacy policy.

Consent must now be explicitly obtained through a clear, decisive action. If your website does not collect any personal data (including IP addresses) and does not use cookies and you do not have contact forms or newsletters, you will not have to do anything to be GDPR compliant. All other sites will need to obtain consent.

Under GDPR it is not acceptable to use pre-checked boxes when obtaining consent to collect and process personal data. Users must provide clear consent and if checkboxes are used, they must be manually checked by users.

Consent forms should be clear and explain the data that is collected and how it is used in easy-to-understand language. Website visitors must be informed how long their personal data will be retained, and the classes of individuals with whom the information will be shared. The exact types of data that will be collected through use of the website must be explained and if the website uses cookies to achieve that.

Website owners must make a decision about the types of data they collect and whether that information is necessary in order to perform the task for which the information is being collected. Any data collected or processed should be limited to the minimum necessary amount to achieve the purpose for which it is collected. GDPR also requires all personal data to be secured, so data encryption should be considered.

If you use any kind of analytics program on your website, Google Analytics for example, it is your responsibility to ensure it is compliant. Google has taken care of its side, but it is the responsibility of all website owners to ensure analytics programs meet GDPR requirements. If tracking data is collected that allows an individual to be identified – by their IP address for example – consent must be obtained.

It is important that website visitors can get in touch with a site owner to exercise their GDPR rights and freedoms, so all contact information needs to be up to date. It must be easy for visitors to make contact should they wish to exercise their right to be forgotten, request a copy of any data that is collected and processed, and check their personal data for accuracy.

In the event that a website visitor chooses to be forgotten, it is useful to have a mechanism in place that allows that to happen automatically via the website. Manually completing such a task will be time consuming, especially if multiple requests are received.

It is the responsibility of all website owners to familiarize themselves with GDPR Rules and make their websites GDPR compliant. If you own or operate a website, read up on GDPR requirements, check to make sure consent is being obtained before personal data are collected and processed, ensure data subjects’ rights and freedoms are protected and honored, and make sure all personal data is stored securely.

You must also develop policies and procedures to identify and deal with data breaches. If a breach is experienced, the Supervisory Authority must be notified within 72 hours.

The post Steps to Take to Make a Website GDPR Compliant appeared first on HIPAA Journal.

How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority?

Under GDPR, a Supervisory Authority is an independent public authority that is responsible for monitoring compliance with GDPR, helping organizations become compliant with GDPR, and enforcing compliance and conducting investigations. The supervisory authority is the entity that must be notified in the event of a breach of personal data of data subjects.

The Lead Supervisory Authority is the main data protection regulator and the entity that has primary responsibility for dealing with cross-border data processing. The main purpose of having a lead supervisory authority is that there is just one point of contact, such as when a business soperates in multiple EU member states. It is a one-stop shop for all matters related to GDPR.

For most companies, choosing a GDPR Lead Supervisory Authority is a straightforward decision. A company based in Paris, France would appoint the supervisory authority in France as the lead supervisory authority. A UK-based company would choose the Information Commissioner’s Office (ICO), which is the supervisory authority for the UK.

For companies that operate in multiple EU member states, the lead supervisory authority would normally be the supervisory authority in the country where the company’s headquarters is or where its main business location is in the EU. More specifically, it would be the Supervisory Authority in the country where the final decisions are made about data collection and processing.

A U.S. company that does not have a base in an EU member state has a problem. If it does not have a base in an EU member state where data procession decisions are made, it will not benefit from the one-stop-shop mechanism. Even if a company has a representative in an EU member state, that does not trigger the one-stop-shop mechanism.

The company must therefore deal with the supervisory authority in every member state where the company is active, through its local representative. There would not be any lead supervisory authority. Article 27 of GDPR details the requirement to appoint a local representative in an EU member state.

For some companies, especially those that operate in many EU member states, identifying the lead supervisory authority may not be straightforward. The Article 29 Data Protection Working Party has responded to confusion over the selection of an LSA by producing guidelines for identifying a controller or processor’s LSA. The guidelines can be downloaded on this link (PDF).

The post How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority? appeared first on HIPAA Journal.

GDPR Data Breach Reporting Requirements

Healthcare organizations are required to report breaches of the personal data of GDPR data subjects, but what are the GDPR data breach reporting requirements?

Breaches of the Personal Data of EU Residents

Under GDPR, personal data is any information relating to an identified or identifiable data subject: Information that could, directly or indirectly, allow a person to be identified.

In Article 4 of the GDPR, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

A data breach could be unauthorized access to a system containing personal data, theft of a device containing electronic personal data, or loss of physical or electronic data. Data corruption is also considered a data breach as is any other incident that affects the availability of personal data, such as a ransomware attack.

GDPR Data Breach Reporting Requirements

Data controllers and data processors must have robust data breach detection, investigation, and internal reporting procedures in place. A data processor must notify the data controller immediately if a data breach is suspected.

Under GDPR, if an employee discovers or suspects a data breach, it must be reported immediately to the Data Protection Officer (DPO) if the company has appointed a DPO, or to the data protection officer, privacy officer, or the security team if a DPO has not been appointed.

It is the responsibility of the DPO to report a breach to the supervisory authority. Companies that have not appointed a DPO will have to assign the responsibility for breach reporting to another individual. That individual will be the point of contact in the organization should the supervisory authority need further information about the breach.

The timescale for reporting data breaches under GDPR is far stricter than HIPAA, which allows up to 60 days for a breach to be reported. GDPR requires the supervisory authority to be notified of a data breach within 72 hours of the breach being discovered – See GDPR Article 33. A data breach must be reported unless there is unlikely to be a high risk to the rights and freedoms of data subjects.

Such a short time frame for reporting breaches means a breached entity is unlikely to have had time to investigate the breach thoroughly, so the information that can be provided to the supervisory authority at that early stage in the investigation is unlikely to be complete. It may therefore be necessary to provide breach information in stages.

GDPR Data Breach Reporting Requirements for Breach Notifications

The data breach report for the supervisory authority must contain the following information:

  • A description of the data breach
  • Categories of data subjects affected and the approximate number of individuals impacted
  • Categories and approximate number of data records affected
  • Contact details of the Data Protection Officer or other point of contact in the organization if a DPO has not been appointed
  • A description of the likely consequences of the data breach
  • A description of the steps being taken to mitigate the breach and limit adverse effects

If the 72-hour reporting deadline is missed, when the breach report is submitted it must be accompanied by a reason for the delay.

The data controller must maintain a record of all data personal data breaches, regardless of their severity, including the above information and any further action taken to address the breaches.

When Must Notifications Be Sent to Data Subjects?

Not all personal data breaches require personal notifications to be issued to affected data subjects. The requirement to send personal notifications is based on the level of risk to the rights and freedoms of data subjects. Following a data breach, a risk analysis must therefore be conducted.

If the risk analysis shows there is a high risk of the data breach adversely affecting data subjects, personal data breach notifications must be issued. Unlike HIPAA, there is no time limit for issuing these notifications per se. The notifications should be sent as soon as it is feasible to do so and without undue delay.

Data breach notifications must be written in clear language that would be understandable to a reasonable person and the personal breach notifications need to include the same categories of information as the notification for the supervisory authority.

Personal data breach notifications for data subjects are not required if any of the following conditions are met:

  • Steps have been taken to render the personal data inaccessible or unintelligible – encryption for example
  • Steps have been taken that ensure the high risk to the rights and freedoms of data subjects will no longer materialize – The remote deletion of data on a lost device, for example
  • If data breach notifications would “involve disproportionate effort.” In such cases, a public communication – such as a press release to a prominent media organization – could be issued

The supervisory authority may require the data controller to issue notifications to data subjects even if the data controller has determined there is not a high risk to the rights and freedoms of data subjects.

The GDPR data breach reporting requirements for personal notifications are detailed in Article 34 of the GDPR.

The post GDPR Data Breach Reporting Requirements appeared first on HIPAA Journal.