Security, data leaks and ransomware: attacks to be taken seriously.

Legal Watch No. 32 – February 2021

Security, data leaks and ransomware: attacks to be taken seriously. The press echoed at the end of February a Massive data leak in the medical sector.

Sensitive information about more than 500,000 people, including blood types and social security numbers, was sold on a specialist forum before being freely published on the internet.

Also included in this data list are the usernames and passwords that allowed these patients to connect to the medical centers and analysis laboratories affected by the data leak.

A judicial investigation is underway, and both ANSSI and CNIL have taken up the case.

The seriousness of the data breach lies as much in the number of people affected as in the sensitive nature of the data.

This is an opportunity to take stock of the measures to be taken to respond to such attacks, and above all, to protect ourselves against them in advance.

Several guides have been published by the CNIL as well as by the ANSSI and the Ministry of Justice to help data controllers protect themselves from such security breaches., whether it is an internal failure or a ransomware attack.

The recommendations published in particular by the CNIL list the different stages of managing the security of data processing.

In essence, it is appropriate to:

• Identify data processing and its supports (hardware, software, communication channels, paper supports):

• Assess the risks generated by each processing operation and identify the potential impacts on the rights and freedoms of the persons concerned, in the event of illegitimate access to data, unwanted modification of data, or disappearance of data.

When special categories of data are processed, such as health data, the impact of a data breach on the data subjects is even greater.

Such treatment therefore requires a thorough risk assessment.

• Identify sources of risk (human sources and non-human sources).
• Analyze the feasible threats, i.e. the possible triggering events (e.g. vandalism, degradation due to natural wear and tear, full storage unit, denial of service attack).
• Identify existing or planned measures to address each risk (e.g., backups, encryption). Measures must be proportionate to the risks. When the data being processed is sensitive, a particularly high level of security must be guaranteed. Storing passwords in plain text in the controller's files should therefore be prohibited: the information must be encrypted, and strong authentication measures must be adopted.
• Assess the severity and likelihood of the risks, in light of the preceding elements.

In the event of a data breach, appropriate measures must be taken immediately to stop the breach and limit the impact on the individuals concerned.

The person responsible must also notify the CNIL of the violation within 72 hours of becoming aware of it.

It also has an obligation to individually inform the persons concerned when the data leak is likely to create a high risk for their rights and freedoms.  This is the case when sensitive data is involved, such as health data.

In the context of the massive data leak that occurred at the end of February, information is therefore required from those affected.

The damage can be extremely serious for patients whose medical care may be affected, but also for data controllers, whose reputation and very business are at stake.

The CNIL points out that the number of data breach notifications jumped by 24% in 2020, and that the number of breaches linked to cryptolocker attacks on healthcare establishments (hospitals, EPHADs, nursing homes, laboratories, etc.) tripled in one year.

Furthermore, two-thirds of the sanctions imposed by the CNIL concern breaches of data security obligations, a trend reflected throughout Europe.

And also

France:

The “tousanticovid” application is evolving to integrate a user alert system in view of the possible reopening of sports halls, restaurants or performance halls. 

The CNIL, which received the draft decree, generally gave a positive assessment, while requesting that the system for recording visits should only be mandatory for places presenting a high risk (barrier measures difficult to implement) and that it should not be made mandatory in places where attendance is likely to reveal sensitive data (such as places of worship).

Following the publication of its guidelines on the use of cookies Last October, the CNIL reminded that the deadline for compliance expires at the end of March.

It sent a letter to two hundred public bodies as well as to the main private players, emphasizing in particular the need to allow the user to accept or refuse cookies with the same degree of simplicity (the "configure" button often present in banners does not meet this requirement).

Europe:

• Belgium: Data Protection Authority publishes a detailed guide on data cleaning and data media destruction techniques, a reflex too often neglected when getting rid of a computer tool.

• United Kingdom: European Commission publishes draft decision considering the level of protection guaranteed by the United Kingdom to the processing of personal data as equivalent to that of the European Union.

If the European Data Protection Board and representatives of the Member States support this assessment, data transfers to the United Kingdom can continue without additional conditions.

It should also be noted that the European Data Protection Supervisor issued an opinion on 22 February in which it reiterated that, as a fundamental right, data protection is not negotiable in the context of trade agreements between the European Union and the United Kingdom.

• Europe – ePrivacy After four years of negotiations, EU member states have finally adopted a common position on the protection of electronic communications.

The ePrivacy Regulation is expected to update the current directive by specifying, among other things, the rules for the confidentiality of communications, the protection of metadata, and the rules applicable to cookies and other trackers.

The text still needs to be discussed in the European Parliament, and its final version will enter into force two years after its publication.

• Europe – health passport : The European Commission announced on March 1 that it was preparing a project for a common passport for member states, which would facilitate the movement of people in the current context of the pandemic.

This passport would include personal data on vaccination, acquired immunity or tests carried out by the person concerned.

The Commission assures that measures will be taken to prevent any discrimination or abuse related to the privacy of the persons concerned.

International :

UNITED STATES : After California, around ten American states are preparing legislation on the protection of personal data, including New York State and Washington State.

Generally speaking, these laws provide less extensive rights for users than the GDPR, and prefer to grant them the right to object to the processing of their data rather than asking for their prior consent.

In any case, they have the merit of improving the transparency of data processing and of granting American consumers recourse.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.