Ransomware: attacks on the rise

Legal Watch No. 51 – September 2022.

Ransomware: attacks on the rise : The news of the fall brings us back to a recurring concern of data controllers: that of security breaches.

The cyberattack on the Essonne hospital and the dissemination of several gigabytes of patient data remind us how important it is to take all necessary measures to protect ourselves against such attacks.

These facts reflect a constant trend of increasing attacks across Europe.

The CNIL thus indicates an increase of 79,% of notifications of data breaches in 2021 compared to 2020 (5037 in 2021), more than 2150 notifications of breaches resulting from a ransomware attack received in 2021, or 43,% of the total volume.

Furthermore, half of the sanctions imposed by the CNIL last year targeted breaches of data security obligations.

This month of October is therefore an opportunity to take stock of essential security measures, as invited by the CNIL and ANSSI, which are beginning their “Cybermonth” awareness campaign regarding ransomware.

This campaign is the French version of the European ECSM cybersecurity campaign, supported by the majority of European countries and by the European security agency ENISA.

Let us first recall the recommendations of the CNIL, which lists the different stages of managing the security of data processing, including:

• The inventory of data processing and their supports (hardware, software, communication channels, paper supports):

• The assessment of the risks generated by each processing as well as their potential impacts on the rights and freedoms of the persons concerned (in particular when sensitive data is processed).

• Sources of risk (human and non-human sources).

• Realizable threats, i.e. possible triggering events (e.g. vandalism, natural wear and tear, full storage unit, denial of service attack).

• Existing or planned measures to address each risk (e.g., backups, encryption), proportionate to the risks.

• The seriousness and likelihood of the risks, in light of the preceding elements.

ANSSI provides details on essential safeguard measures:

• Provide automatic backups, disconnected from the network;

• Test backups regularly;

• Prepare a business continuity plan (BCP);

• Provide a crisis unit;

• Exercise a crisis mechanism.

The agency also reiterates its advice for caution regarding unsolicited emails, particularly when they contain an attachment:

• Do not trust any phone numbers or hyperlinks mentioned in the message,
• Check the sender's address by clicking on it, call their usual contact rather than replying to a suspicious message.

In the event of a data breach, appropriate measures must be taken immediately to stop the breach and limit the impact on the individuals concerned.

In the event of a ransomware attack, ANSSI recommends activating remediation measures and the crisis response system, then alerting the relevant authorities (police, gendarmerie, ANSSI) before seeking technical assistance.

If you suspect an intrusion, you can find useful information on the website of the Government Centre for Monitoring, Alerting and Response to Computer Attacks, and on the government website dedicated to cybercrime.

Finally, remember that under the GDPR, the controller must notify the CNIL of the violation within 72 hours of becoming aware of it.

Where the data leak is likely to pose a high risk to the rights and freedoms of the data subjects (for example, in the event of the theft of sensitive data such as health data), the data subject must also be informed individually.

The CNIL is organizing two webinars on October 18 and 21, respectively, on passwords and the security of artificial intelligence systems. Registration is required. Details can be found on its website.

And also

France:

On September 8, the CNIL imposed a penalty of 250,000 euros against the GIE INFOGREFFE, which publishes the legal and official information dissemination service on companies via its website. Infogreffe is sanctioned for failing to meet several GDPR obligations regarding retention periods and the security of personal data.

Artificial Intelligence: the Council of State pronounces on the governance of the future European regulation, and publishes two studies on the subject.

– In its document of August 30, 2022, the Council of State addresses the issue of the quality of public service and lays the foundations for a French strategy for AI.

He encourages, among other things, strengthening the powers of the CNIL and to make it formally responsible for regulating AI systems.

– The Council of State also looked into the regulation of social networks in the context of the development of AI.

On September 27, he published a study in which he formulated 17 recommendations for rebalancing the forces in favor of users, equipping public authorities in their role as regulator and thinking about the social networks of tomorrow.

The CE also proposes creating a strengthened inter-ministerial hub to bring together the State's various areas of expertise in this area. 

Europe:

On 16 September 2022, the European Data Protection Supervisor (EDPS) filed a lawsuit concerning two provisions of the new regulation which retroactively allow the Europol agency to process citizens' data even without an established link to criminal activity.

The EDPS has asked the Court of Justice of the European Union to annul the two provisions of this regulation, which entered into force on 28 June 2022.

In its second edition of its TechSonar newsletter, the EDPS selects 5 emerging trends: it develops the issues of

• the detection of 'fake news',
• the central bank's digital currency,
• the Metaverse,
• “federated learning” and “synthetic data,” two topics related to artificial intelligence.

Towards greater accountability in AI?

The European Commission's proposal for a revision of the Product Liability Directive aims to adapt the EU's liability regime to the digital age.

An additional directive has been proposed, targeting specific harms caused by artificial intelligence.

Liability would continue after the product's market launch, covering software updates, failure to address cybersecurity risks and machine learning.

In other words, Developers would continue to be responsible for autonomously learning AI systems and for deployment updates or lack thereof.

GDPR may be considered in the context of competition cases : On September 20, the Advocate General of the CJEU, Mr. Rantos, issued an opinion according to which the GDPR can be taken into consideration by competition authorities when they assess Meta's dominant position on the market.

MEPs visited the Irish authorities data protection between 21 and 23 September, and do not seem entirely satisfied with their trip: the delegation of the Parliament's Civil Liberties Committee (LIBE) expressly wished to examine the implementation and application of the GDPR, in particular the functioning of the "one-stop shop" mechanism.

The head of the delegation described the Irish data protection authority as "a bottleneck of the single window mechanism", adding that "an independent review of the DPC's procedures and actions would be useful."

On September 13, members of the digital rights group EDRi met with the European Data Protection Board (EDPB) to discuss possible improvements to the application of the GDPR.

EDRi points out that the lack of harmonization of national provisions and cross-border cases are not the only problems.

According to the NGO, there are multiple national cases where complaints and violations of the GDPR have not been properly handled by supervisory authorities, notably due to a lack of resources.

Problems encountered included refusal to follow up on a complaint, unexplained delays in processing a complaint, lack of status updates, and difficulties in filing a complaint in the first place.

The Berlin Commissioner for Data Protection and Liberties (BInBDI) fined a retail group €525,000 for breaching Article 38(6) of the GDPR due to the conflict of interest of their DPO: the latter also controlled the decisions taken in his capacity as director of the company.

On the same subject, the Icelandic Data Protection Authority considered that there was a conflict of interest when a DPO was simultaneously a senior lawyer, deputy general manager or member of the board of directors of a company.

A DPO can, however, hold the position of compliance officer.

It should be noted in this regard that the designation and function of the DPO will be the subjects of the next coordinated monitoring action of the European Data Protection Committee.

The Karlsruhe Chamber of Commerce overturned a decision of the Baden-Württemberg Chamber of Public Procurement holding, among other things, that the mere fact that a data processor is a subsidiary of a commercial group from a third country does not call into question the processor's commitment to process personal data exclusively in the European Economic Area.

Romanian ODA fined a publisher €5,000 for lack of adequate technical and organizational measures, after two data breaches that affected 10,739 of its (former) customers and 100 of its employees and partners.

Spanish ODA concluded that a controller had violated Article 6 of the GDPR after posting a photo on Instagram without valid legal basis.

The DPA imposed a fine of €10,000 on the controller.

Danish ODA found that a political party had a sufficient legal basis under Article 6(1)(f) of the GDPR to investigate one of its members for alleged sexual violence.

However, she reprimanded the controller and the processor for not not having informed the data subject of the processing as required by Article 14(2)(b).

Belgian ODA fined a medical laboratory €20,000 for breaching several obligations under Articles 5(1)(f) and 35(3) of the GDPR due to the absence of a security and confidentiality policy on its website and the non-existence of a data protection impact analysis (national decisions recorded by GDPRhub).

The UK-US Data Access Agreement, which allows investigators from either country to access electronic data relating to serious crimes, came into force on October 3.

The text allows British and American law enforcement agencies to request data held by telecommunications providers in their respective jurisdictions.

Swiss courier companies Proton and Threema have signed, alongside other foreign companies, a charter requiring them to collect as little data as possible and to encrypt messages. The goal is for other tech players to join in.

International :

According to a new UN report (Human Rights Office) of September 16, 2022, the right to privacy of individuals is under increasing pressure due to the use of networked digital technologies.

According to the report, these technologies constitute formidable tools of surveillance, control and oppression, which require effective regulation based on law and international human rights standards.

The report looks at three key areas:

• The misuse of spyware by public authorities,
• The key role of strong encryption methods in protecting human rights online
• The consequences of widespread digital surveillance of public spaces, both offline and online.

There Indonesian House of Representatives adopted its bill on the protection of personal data.

Google's "Results About You" Tool A tool designed to simplify the process of removing search results containing personal information such as email or phone number is beginning to be rolled out, according to a report from the company.

Google announced this feature earlier this year, stating that it would soon be available in the Google app.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.