The Irish Data Protection Commissioner has ruled that companies could violate European privacy laws through Inadvertent Data Destruction
The Irish Data Protection Commission (DPC) has ruled that companies could violate European privacy laws if they mishandle personal data after a cyberattack. The ruling came in response to a complaint filed by the Irish DPC against several insurance companies that mishandled customer data after suffering from ransomware. The decision is making waves because it expands the scope of European privacy laws. It forces businesses to reevaluate how they handle customer data and how they handle breaches that occur after an attack has taken place. Based on a recent ruling by the Irish DPC, accidental data deletion following a cyberattack violates EU privacy laws.
If a firm encounters a cyberattack and unintentionally deletes personal data, this may result in a GDPR breach.
The General Data Protection Regulation (GDPR) establishes guidelines for processing personal data, including safeguarding personal information against unauthorized access, loss, alteration, or disclosure. A breach of the GDPR may occur if a firm encounters a cyberattack and unintentionally deletes personal data, especially if the organization did not take appropriate precautions to protect the data in the first place. Additionally, businesses are required under the GDPR to notify the appropriate supervisory authority of any data breaches within 72 hours of becoming aware. A corporation may be subject to significant penalties and other sanctions from the regulatory authority if it fails to declare a data breach or implement sufficient safeguards to protect personal data. To prevent cyberattacks and lower the chance of accidental data destruction, businesses must have strong data protection policies and procedures in place.
Inadvertent data destruction, particularly in the case of health data can have serious implications for individuals.
Under the GDPR, health data requires an exceptionally high level of security. In the case of Centric Health Ltd (Centric), a Dublin-based medical group, apart from the data that was destroyed, patient files were unavailable following the cyberattack in about 70,000 cases, according to the Irish panel. The provision of medical care to data subjects could be hampered by the “unauthorized erasure of such personal data,” according to Ms. Helen Dixon of the Irish DPC. She further mentioned that the company Centric contracted to do a forensic investigation into the incident reported that crucial logging data was destroyed while reinstalling the infected machine. This made it more difficult to ascertain crucial information, such as when specific accounts were attacked and whether or not personal data was stolen.
Assessing the security of its servers and implementing enough safety precautions to ensure that backups would be available is necessary for the security of personal data.
A representative for the healthcare organization Centric stated in an email this week that it took action to recover the destroyed patient data and notified the Irish regulator and the impacted patients. Centric provides treatment to about 400,000 patients in Ireland. The statement said, “We want to reassure them that the deleted data was reconstructed and that there was no negative impact on their health treatment.” According to the judgment, the medical provider also failed to assess the security of its servers and implement enough safety precautions to ensure that backups would be available. This is highly recommended for the security of personal data. The regulator also claims that Centric departed from its usual procedure of storing backups off-site.
