It is claimed that the institution itself only learned about the breach in April, while the data subjects were informed even later – at the end of May. Naturally, the public was not only surprised but also outraged as to why there was such a long delay in informing about the data security breaches.
Read more Tomatoes attacked by blight? These folk methods will help save the future harvest
What obligations related to notification does the GDPR provide and how were they implemented in this case?
What general obligation does the GDPR provide?
The General Data Protection Regulation stipulates that individuals should be notified of a breach “without undue delay,” i.e., as soon as possible. The purpose of such notification is to inform individuals about what actions they should take to protect themselves. In this case, data subjects were informed only after more than a month, which clearly is not without undue delay. So, what exceptions does the GDPR provide?
There is no high risk to rights and freedoms
First of all, data subjects may not be informed at all if the breach does not pose a high risk to their rights and freedoms. But could this be the case here?
Although many reports emphasize that such data as contact details (phone number or email address), passwords, or payment data were not leaked, the data protection breach should not be taken lightly.
First of all, personal identification numbers were leaked. Although they are not considered special category personal data, personal identification numbers are unique identifiers for each individual, which cannot be changed like a password. Accordingly, stricter security requirements apply to them.
What happens if all leaked data are “combined”?
When assessing a data leak, it is important to evaluate not only what consequences may arise from leaking specific data, e.g., an address, but also what could happen if those data are combined with other data previously leaked.
There have already been incidents where data such as first name, last name, contact details, and similar were disclosed. When all this is combined, it can be assumed that someone may have, for example, your first name, last name, personal identification number, email address, and residential address. Without knowing that the Registry Center’s data have been leaked and receiving an email containing not only the first name and last name but also the personal identification number and residential address, the likelihood of successful fraud attempts significantly increases.
It should be noted that in the case of the recent incident, there are no known cases of fraud or attempts to sell or publicly disclose the data. The question arises whether the breach was caused by cybercriminals. Personal identification numbers, addresses, real estate, and other data of politicians and state officials were leaked, so it is natural to think that the breach could also be related to an attempt against national security.
Read more Iran: The goal of the US and Israel remains to overthrow the Islamic Republic
In this case, it is obvious that the data subject was not informed certainly not because their rights and freedoms were not at risk.
Notification is not required due to implemented technical measures or disproportionate efforts
Article 34(3) of the GDPR provides three exceptions when notification to data subjects about a breach is not necessary:
- When appropriate protective measures were taken before the breach. For example, the data controller applied measures (e.g., encryption) that make the data unintelligible to unauthorized persons. This exception does not apply here because the perpetrator could access all the information provided in the Registry Center’s extracts.
- Measures are taken immediately after the breach to prevent a high risk to the rights of the subjects. For example, the person who intercepted the data is promptly identified and actions are taken against them. This exception also cannot be applied because the Registry Center only learned about the breach after almost 3 months.
- Disproportionate efforts. In such a case, direct notification is replaced by a public announcement or another similar effective measure. The Registry Center provided users with the opportunity to check for data leaks in self-service, but it remains unclear why this was done only after more than a month.
Requirement to act according to lawful instructions from authorities
The Registry Center and the Government justify the delay in informing data subjects by instructions from the General Prosecutor’s Office and an ongoing pre-trial investigation, so the recitals of the GDPR are important in this case. Article 86 of the GDPR provides that notifications to subjects must be made as soon as possible, but in compliance with instructions from authorities, supervisory, or law enforcement bodies.
Article 88 adds that “due regard should be given to the legitimate interests of law enforcement authorities where early disclosure of information could unduly prejudice the investigation of the circumstances of a personal data breach.” Formally assessed, the delay in informing data subjects may be justified.
However, this exception applies only when disclosure would harm the investigation. It remains unclear whether informing the public about 600,000 leaked records (names, surnames, personal identification numbers, and addresses) and urging caution would indeed have been unnecessary, harmful to the investigation, and whether it was objectively impossible to inform the public earlier. These important public questions will likely remain open until the pre-trial investigation is completed and the State Data Protection Inspectorate (VDAI) decision is made, revealing the causes and consequences of the incident.
What to do now?
The incident showed that there are still many technical and organizational security gaps. This could be a reminder not only to the Registry Center but also to other institutions that perhaps it is time to conduct a GDPR and IT audit, identify gaps, and implement additional security measures.
People should remember these tips:
- Be extremely cautious about potential fraud attempts. When receiving an email, message, or call from a government institution, bank, or other organizations, evaluate them very carefully. Even if the message contains your first name, last name, and address, do not trust the message blindly. Check the sender’s address or contact the institution through their official contact details to confirm the message’s authenticity.
- Carefully monitor account logins and payments, and if suspicious activity is noticed, take appropriate actions immediately – block bank cards, change passwords, use two-factor authentication.
- Share information about the breach and possible fraud attempts with others, especially elderly people, and help them assess received emails or messages if needed.
- Repeat these steps not only a week after the breach but also months or even years later.
The more time passes, the more likely it is to forget how much data about you someone may have collected. After some time, when there are no longer many public reports about the incident, it is even more important to remember that someone may have a whole block of your personal data and try to misuse it.
Read more EU aims to reserve mobile satellite communication licenses for European companies
