9 June 2020 – During the period from January to May of this year, the Data Protection Office has received more that 100 personal data breach cases, the so called data breach. The subject that were affected by this security accident came from financial areas and banks, education, health and PA, mostly municipalities.
A serious and frequent reason for the report was a phishing attack to an informatic system. This event also regarded the medical structures (see recent cases in Bohemian and Moravian hospitals).

Less serious accidents included, for example, a report on a high school boy who improperly obtained and used his teacher’s access data and subsequently modified some frequency data and results.

A significant number of security breaches have been caused since insufficient instruction and poor training of people, which causes errors, such as reckless email management, make data available or allow a system breach (phishing attack).

From this relationship it is clear that the processors of personal data do not systematically cooperate with the security and protection of personal data and do not pay attention to the information of appropriate password. It also reveals the level of security of access to internal systems in a very irregular way. Respect for data protection principles is not sufficient. While the security of internet communication should be evaluated separately (many administrators do not appreciate that, in compliance with Article 24 of the GDPR, the https protocol is considered standard protection, not just an http connection).

A positive trend is that the media has taken steps to prevent and remedy accidents and their side effects in all justified cases. The Office stresses that the remedy is not only the elimination of the defect condition, but also the definition of more effective future measures and the possible mitigation of staff training on the security of personal data.

With regard to requests from processors to assess whether disciplinary procedures are appropriate with an employee who has an impact on the breach of personal data, the Office stresses that this is not part of its work. The processor in general, not every employee, is always responsible for the correct processing of personal data in accordance with the law.

In most cases, the Office has assessed the nature and modalities for resolving accidents and measures taken on the basis of notifications sent (or additional information requested by the Office) as sufficient without the need to exercise surveillance powers.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA REPUBBLICA CECA