Insufficient cybersecurity measures under GDPR: 100k EUR fine in Belgium & key fines elsewhere

On 26 April 2021, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) handed down its first fine specifically for cybersecurity failures.

This decision follows others where the Litigation Chamber considered cybersecurity failures as a factor among others (see e.g. decision of 22 January 2021), and it should serve as a signal for other organisations: all controllers and processors must ensure that the technical and organisational measures they have taken to keep personal data secure are appropriate. Otherwise, the bill could be magnitudes higher than the cost of implementing such measures. Fines across the European Union and in the United Kingdom for cybersecurity failures are often in the hundreds of thousands or even millions of Euros, with the more limited ones (such as this one, at 100,000 EUR) often linked to what could be viewed as limited cybersecurity failings – or a limited number of known affected data subjects. If an organisation fails massively at cybersecurity, a massive fine may be forthcoming.

Put differently, cybersecurity is not a sunk cost – it is a good and necessary investment. It is a crucial safeguard for the business, a sales argument as well in many cases but also a great way to limit the cost of (inevitable) incidents and to mitigate fines for inadequate measures. 

A) Facts: limited access, but no way to verify proper usage

The case in question related to access within a financial institution to the Central Credit Register operated by the Belgian National Bank. According to the text of the decision, the financial institution in question made two means of access to the register available to employees based on their seniority (one for regular staff and another for managers). The first method registered who used the system in question. The one for managers did not; according to the financial institution, (only) five individuals had access to the register in this manner – all using one same password.

TIP: If you have a similar approach in your organisation, it may be necessary to re-evaluate it. If one unique password gives access to a system and the user’s identity is registered, you will not know who exactly is using the system – which one of the authorised users, but also whether it is an authorised user or an unauthorised user. 

In this particular case, one or more of the five individuals in question accessed a woman’s file in the register no less than 20 times over the course of two years. In the absence of any registration of which individuals were accessing the register at each of those times, however, it was not possible to pinpoint who exactly had done so.

The facts suggest a straightforward answer, as at the time, the woman’s ex-husband was among the five individuals in question and he and she were in the process of liquidating their joint estate following their divorce. The woman suspected the ex-husband of having used this access to the database to obtain information that then gave him the upper hand in the liquidation process and filed a separate complaint before the BDPA against him individually. No decision has to date been published in that respect.

TIP: Did you know that access by an authorised user for unauthorised purposes (i.e. abuse of access rights) can be considered to be an “abuse of confidence” under criminal law rules? Always consider this as well as labour law consequences if there is a need to file a complaint of your own (e.g. where required under your insurance policy).

The complaint against the financial institution, therefore, focussed not on whether this was a wilful breach of data protection law by the ex-husband but on whether the financial institution had taken appropriate measures to “ensure a level of security appropriate to the risk”, as required by Article 32 of the General Data Protection Regulation or GDPR.

B) Absence of logging = blatant violation? 

According to the Litigation Chamber, “the absence of any system for access control of managers” in this case was a “blatant violation” of Article 32 of the GDPR, in particular because the data accessible through the system was “sensitive financial data”. This nature meant that the risks to the fundamental rights of data subjects were high, such that the measures taken had to be “all the more appropriate”.

The lack of logging or other security measures was also viewed as preventing data subjects from exercising their right of access concerning the (unlawful) processing carried out, since the financial institution did not keep any evidence of such processing.

TIP: Always think of the broader consequences of a given measure before putting it into effect. Regarding logs, for instance, there is no legal requirement for your organisation to generate and maintain logs for any given period of time (six months, five years, etc.). However, not logging can be an issue as illustrated here, and removing logs too soon may lead to the destruction of useful evidence – even if this was done for the right reasons (e.g. in the name of storage limitation or data minimisation).

Not all was bad – there were measures to limit access (‘only’ five individuals, later limited to two individuals). However, the Litigation Chamber considered those measures to be insufficient, as the financial institution was not capable of monitoring who had access and if such access was in line with the purposes decided by the institution. 

Without appropriate security measures to ensure the existence and effectiveness of procedures to control both staff and managers in their access to the processed data, the Litigation Chamber found that the financial institution was in breach of (i) its obligation to ensure the security of its processing activities (Article 32 of the GDPR), (ii) its obligation to comply with the principles of data protection by design and by default (Article 25 GDPR) and (ii) the accountability principle (Article 5(2) and 24 GDPR).

C) DPO and CISO roles can be compatible if purely advisory

The BDPA previously adopted positions on the role of DPO that were regularly commented throughout the European Union, in particular a decision in which the BDPA’s Litigation Chamber ruled “that the role of head of a department is […] incompatible with the role of DPO” because the DPO cannot carry out any independent supervision of such a department, even though the departments in question (e.g. Risk) had an advisory function.

In its newest decision, the Litigation Chamber appears to have tempered its vision somewhat, accepting that the DPO at the financial institution could combine the role of DPO with a role as CISO (i.e. Chief Information Security Officer). The reasoning of the Litigation Chamber is that this particular CISO role is a purely advisory role:

the CISO “presents to the Management of the company the risks and their importance and […] it befalls Management to decide whether the measures put in place are sufficient to mitigate the risks”;
“in case of disagreement between [the CISO] and Management regarding the measures taken and notwithstanding the comments submitted to [Management], it is not [the CISO]’s decision to make”;
“security measures fall within the scope of the IT department, not that of the CISO”.

The Litigation Chamber has attempted here to reclassify its previous decision as one in which the DPO “was simultaneously in charge of various operational departments”, which appears to be a skewed vision of the previous decision. In particular, it is unclear to us why the “Risk” role from the previous decision should be treated any differently from the “CISO” role described in this new one.

In any event, the new reasoning appears to be more convincing than the previous one and will bring comfort to many organisations with DPOs combining advisory roles – in particular those where the DPO also acts as (advisory) CISO.

Finally, according to this new decision, the fact that a DPO responded to a complaint by using the word “we” to refer to the company (“we have naturally taken measures”, “we have apologised” etc.) is not a breach of the DPO’s independence. This will again reassure a range of organisations – but it is unclear whether it is a shared position within the BDPA: we have seen instances in which the BDPA’s very own Inspection Service questioned the independence of a client’s DPO for answering “we” in a letter. At least, now such a criticism will not require a lengthy legal argument to rebut – a simple reference to this particular decision should suffice.

D) Outcome: fine and order to comply

Based on its findings of non-compliance with the requirements of Article 32 GDPR, the Litigation Chamber imposed a fine of 100,000 EUR (the second-highest fine to date in Belgium after Google’s 600,000 EUR fine regarding the right to be forgotten). 

Beyond the financial institution’s turnover, various factors were relevant in reaching this amount. First, the processed data was deemed to be of a sensitive nature (financial data relating to creditworthiness), which meant as indicated previously that the measures taken had to be “all the more appropriate”, because of the high risks to the fundamental rights of data subjects. Other factors included (i) the long period over which the processing operations were carried out, (ii) the high number of times the processing operations were carried out (20 times for one data subject), (iii) the limited number of additional measures taken since the incident to reinforce the security of processing operations and (iv) the risk of further unlawful processing operations if there had been no complaint.

One aspect to note here, and which may resurface if the financial institution appeals the decision, is that the period covered by the infringement started well before the GDPR became applicable: the “long period” in question, taken into consideration when setting the amount of the fine, went from April 2016 to August 2018; likewise, it appears that at least some of the 20 instances of access to the data subject’s data predated the GDPR. It seems fair in these circumstances to wonder whether the Litigation Chamber would have also imposed a 100,000 EUR fine if it had only examined the instances of access between 25 May 2018 and August 2018.

E) What is going on elsewhere (UK and EU authorities)

While the amount of the fine may be significant compared to previous fines in Belgium, it is relatively low compared to fines from other countries.

Part of this may be related to the limited scope of the infringement (only one known case, due to the link with only one complaint), but part may have to do with the approach of each supervisory authority.

Looking beyond Belgium, some of the highest fines imposed to date for GDPR infringements were directly attributable to – according to the relevant authorities – non-compliance with the requirements of Article 32 of the GDPR.

For instance, in October 2020 the UK authority, the ICO (Information Commissioner’s Office) imposed fines of 22 million GBP and 20.5 million GBP on British Airways and Marriott International respectively for security failings (the former for failing to protect the personal and financial details of more than 400,000 of its customers following a supply chain attack; the latter as a result of insufficient monitoring of privileged accounts, databases and lack of control of critical systems).

The Swedish authority (Datainspektionen) also imposed in December 2020 a 3 million EUR fine on the Capio St Görans hospital (i) for failing to carry out a risk analysis before granting staff permissions to access patient records and (ii) for not limiting such permissions to what was strictly necessary for users to perform their duties. Moreover, the Bulgarian authority imposed in August 2019 a 2.6 million EUR fine on the National Revenue Agency (i.e. the tax authorities) for lack of logical access controls for access to personal data of 6 million individuals.

In the Netherlands, there have also been various fines for cybersecurity failings, with a particular focus on hospitals (fines of 440,000 EUR and 460,000 EUR in first instance).

So depending on how you look at it – in absolute terms or as a fine related to one data subject – this Belgian fine may look like a bargain (100,000 EUR versus multi-million fines) or an extremely expensive fine (the British Airways fine amounts to 55 GBP per data subject affected).

Either way, this international trend - issuing (high) fines for inadequate measures - reinforces our earlier point that cybersecurity is not a cost but a worthwhile investment.

F) What your organisation should do

With the above in mind, we can draw certain practical recommendations from the Litigation Chamber’s decision:

  • Check carefully and regularly your security policy, to ensure that your cybersecurity measures are (and remain) adequate and proportionate to the risk the processing poses to the fundamental rights of data subjects;
  • Where systems do not yet have logging enabled, check whether logging could be useful; where there is logging already, ensure it collects all the information that can be useful for evidence purposes and that the retention period is aligned with the risks;
  • If there is a data breach or any other incident, take (immediate) appropriate measures to remedy the risk and/or to limit the risk of future similar incidents, and document them.