The system is being upgraded after a serious

The data protection year 2021 The biggest data mishaps of 2021

It’s not just the size of the fine imposed that makes it clear that this could be a serious data protection breach under DSGVO (the General Data Protection Regulation). A look at the data breaches that have come to light in 2021 make this clear. Companies should use these incidents to question their own data protection processes.

Companies on the subject

Unfortunately, there were more than enough examples of data breaches in 2021. Not only the data breaches that led to high fines should be considered serious.

Looking back on the data protection year 2021, the question rightly arises as to which data mishaps were to be lamented, and which of them were particularly serious. It’s less about sensationalism and more about learning from incidents.

On the one hand, companies should always ask themselves whether this could also happen in their own operations. Third-party data breaches should be taken as an opportunity to question one’s own data protection concepts. Last but not least, reports on data protection violations should be used to make the instructions as clear as possible for one’s own employees.

Security Insider Podcast – Episode 49

But when is a data breach serious and major? The GDPR defines a "personal data breach" as a "breach of security leading, whether accidentally or unlawfully, to the destruction, loss, alteration of, or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed".

How consequential a data breach is can then depend on many factors, such as the number of data subjects, the amount and category of data sets affected, the nature of the breach, i.e., whether the data was destroyed, whether the data was misused and for what criminal purpose.

It is already apparent that one should not only look at the amount of a possible fine, even though the competent supervisory authority will of course also examine the previously mentioned factors when it comes to assessing the fine or other sanctions.

In the media or "just" the focus of regulators

If you now think of the numerous headlines in 2021 that revolved around data breaches, you might overlook a large number of data breaches that the media did not mention in detail but that were the focus of the supervisory authorities.

If you take the incidents that the supervisory authorities themselves have reported on in more detail, they include the cases that have made headlines, that goes without saying. As examples may be mentioned:

Case 1: The State Commissioner for Data Protection (LfD) of Lower Saxony had imposed a fine of 10.4 million euros on notebooksbilliger.de AG pronounced. The company had been video-monitoring its employees for at least two years without a legal basis for doing so, the regulator said. The unauthorized cameras covered, among other things, workplaces, sales rooms, warehouses and recreation areas. "We are dealing here with a serious case of video surveillance in the company," said the LfD Lower Saxony, Barbara Thiel. "Companies need to understand that by engaging in such intensive video surveillance, they are massively violating the rights of their employees".

Case 2:Between August 2018 and December 2019, Vattenfall Europe Sales GmbH (Vattenfall) routinely checked customers’ contract requests for special contracts that involved special bonus payments to see if they exhibited "behavior conspicuous for switching," according to the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI). This review was intended to prevent customers from concluding such bonus contracts so regularly that this offer to acquire new customers would no longer be profitable for the company.

To verify this, Vattenfall used invoices from previous contractual relationships with these customers, which must be kept for up to ten years anyway according to tax and commercial law requirements. However, it was not apparent to customers that such data matching was taking place.

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) came to the conclusion after an examination of the matter that Vattenfall, through this action, violated the transparency obligations under data protection law (Art. 12, 13 DSGVO) violated, as customers were not adequately informed about the data matching process. A total of around 500 were affected.000 persons. As a result, in September 2021, the HmbBfDI fined Vattenfall more than 900.000 euros imposed.

Case 3: In 2021, various cases of data breaches, leaks and data protection violations by large international digital corporations have also come to light. The consequences turned out to be serious in some cases, ranging from phishing scams and bullying to a case of suicide. The State Commissioner for Data Protection and Freedom of Information (LfDI) of Rhineland-Palatinate, Professor Dieter Kugelmann, explained: "The current cases show, in some cases dramatically, the importance that data protection and data security must have in digital times. If more is not done on all sides for data protection, more and more citizens could become victims of fraud attempts, cyber attacks and bullying."

Security vulnerabilities and data privacy violations

However, data privacy violations should not only be taken seriously when fines have been imposed. In 2021, there were also cases of possible data breaches related to prominent security vulnerabilities that (so far) have not resulted in sanctions.

One example was the security vulnerabilities in the widely used mail infrastructure "Microsoft Exchange Server". On the one hand, the Thuringian State Commissioner for Data Protection and Freedom of Information (TLfDI) requested that the available security patches be installed immediately. This urgent notice was based on the obligation to ensure the security of processing activities under Article 32 of the GDPR by controllers of vulnerable systems.

Furthermore, said Dr. Lutz Hasse, Thuringia State Commissioner for Data Protection and Freedom of Information, something about possible data mishaps: "Please also check whether malicious codes have already been installed. Identified data breaches must be reported to the TLfDI in accordance with Article 33 of the GDPR. Furthermore, it must be checked whether the data subjects must be notified".

The Rhineland-Palatinate State Commissioner for Data Protection and Freedom of Information (LfDI) received a dozen inquiries and reports of personal data breaches (data breach reports) under Article 33 of the General Data Protection Regulation (GDPR) within a short period of time due to security vulnerabilities on Microsoft Exchange servers.

The State Commissioner for Data Protection and Freedom of Information of Baden-Wurttemberg stated the same thing: "If the exploitation of the vulnerability is detected during the check of the systems, it must generally be assumed that there is an obligation to report to the supervisory authority. Only in atypical constellations will there be no risk to the rights and freedoms of data subjects. Any waiver of notification should be justified and documented."

The State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen (LfDI) had also received a significant number of corresponding notifications of personal data breaches. It advised all operators of Microsoft Exchange Server infrastructures that, if not already done, immediate action must be taken to close the vulnerabilities and check for compromise of the systems.

In addition, she pointed out the obligation of data controllers (operators) to notify personal data breaches under Article 33 of the General Data Protection Regulation (GDPR). This already applies when a compromise has occurred – even if no leak of personal data has occurred or could not yet be detected.

Current example: vulnerability in Log4j

Another example from 2021: The Hessian Commissioner for Data Protection and Freedom of Information (HBDI) informed about the acute need for action regarding the vulnerability in the Java library Log4j (Log4j). In the presence of the vulnerability in Log4j, the security of the processing pursuant to Art. 32 GDPR for the systems concerned and, where applicable. moreover, no longer fully guaranteed. It is the responsibility of the controller to restore the security of the processing, the supervisory authority said.

How companies can defend themselves against the Log4J vulnerability

Closing the weak point would not be sufficient in this case. Those responsible would additionally need to check whether successful attacks have already occurred. In this case, take further action and consider whether to file a personal data breach notification under Art. 33 DSGVO must take place at the HBDI.

The Bavarian State Office for Data Protection Supervision said: Bavarian data controllers must immediately check whether their IT systems and applications are affected by the Java security vulnerability Log4Shell due to the increased risk situation for compliance with data protection obligations. If a security breach has already occurred, z. B. because the vulnerability has been actively exploited and if IT systems containing personal data are affected, according to Art. 33 DSGVO for controllers regularly a notification obligation with the competent data protection supervisory authority.

As it turns out, there were unfortunately more than enough examples of data mishaps in 2021. It’s not just the data breaches that have resulted in hefty fines that should be considered serious. Even security breaches that have become known can lead to data breaches and reporting obligations, even if there should not be any fine procedures for this yet. Failure to report under GDPR may itself constitute a breach under GDPR and lead to sanctions.