Penalty for inadequate safeguards for level of risk of customer data breach

On December 18, 2018, Morele.net sp. z o. o. (the “Company“) disclosed that there had been unauthorized access to its customers’ personal data, including email addresses, phone numbers, names and passwords in the form of encrypted strings (known as hashes). Two days after the Company issued an announcement about the data leak, the intruder reported that he was in possession of 2.2 million customer data, including tens of thousands of PESEL numbers and several thousand scans of ID cards.

In a decision dated September 10, 2019. b, letter d, Article 32 (2) of Regulation EU 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“RODO“) (Decision No. ZSPR.421.2.2019).

The PUODO, on the basis of the evidence gathered, determined that in processing personal data, the Company, as a controller, violated the principle of data confidentiality and integrity (failed to ensure an adequate degree of security and confidentiality of the processed personal data by failing to implement the necessary technical and organizational measures), as expressed on the basis of Article 5(1)(f) of the RODO. The reason for the violation of the indicated principle, in the opinion of the PUODO, was the Company’s use of ineffective authentication measures that did not ensure sufficient confidentiality. According to available information, the Company used an authentication measure in the form of a login and password.

In the justification for the decision, the PUODO stressed that access control and authentication are basic security measures to protect against unauthorized access to an IT system used to process personal data. In addition, he pointed out. that the selection of appropriate technical and organizational measures should be guided by the state of technical knowledge and market conditions (market acceptability of a given technical solution). In the decision, the PUODO recommended that the Company monitor on an ongoing basis the applicable standards and norms, particularly ISO standards, which are subject to constant changes conditioned by technological progress.

The PUODO additionally referred to the recommendations of the European Network and Information Security Agency (ENISA), recommending that the Company: use a two-step authentication mechanism (MFA, multi-factor-authentication) for systems involving access to personal data; monitor potential threats to the rights and freedoms of data subjects; implement a procedure for responding to adverse events such as unusual network traffic; and regularly test, measure and evaluate the effectiveness of technical and organizational measures to ensure processing security.

The Company appealed the PUODO’s decision to the Provincial Administrative Court in Warsaw (“WSA in Warsaw“), claiming, among other things, a violation of regulations by failing to conduct a comprehensive and substantive evaluation of the evidence gathered and by rejecting a request for expert evidence to assess whether the technical and organizational measures used by the Company at the time of the data leak were adequate.

The WSA in Warsaw ruled on September 3, 2020. (ref. II SA/Wa 2559/19) dismissed the Company’s complaint. According to the WSA in Warsaw, PUODO did not violate substantive law to the extent that it affected the outcome of the case. In addition, it supported the PUODO’s argumentation regarding the Company’s failure to apply sufficient technical and organizational measures adequate to the scale of the processed data. Referring to the Company’s argument about the dismissal of expert evidence, the WSA in Warsaw stated that since the PUODO had sufficient evidence in the case, conducting any other evidence, in light of the findings, was unnecessary.

The Company filed a cassation appeal with the Supreme Administrative Court (“SAC”) against the judgment issued by the WSA in Warsaw. February 9, 2023. The NSA overturned the judgment of the WSA in Warsaw and the decision of the PUODO (file no. III OSK 3945/21). In its ruling, the NSA did not question all of PUODO’s findings related to the company’s violation of RODO regulations. It did, however, question its authority to assess the technical and organizational measures used by the administrator to secure personal data. According to the NSA, PUODO should have made it plausible that it possessed the knowledge needed to conduct such a security analysis. The NSA’s reasoning shows that either an expert should have been appointed or an internal document should have been produced containing the conclusions of the analysis of the standard of security measures used by the Company, to which the administrator could have referred during the proceedings, in violation of Article 78 § 1 of the PAC.

PUODO disagreed with the NSA’s ruling by publishing a letter addressed to the President of the NSA on May 12, 2023. In the letter, PUODO pointed out that the issued judgment undeniably and precedent questions the independence of PUODO as a supervisory authority, as well as undermines its competence and the substantive qualifications of the employees of the Office for Personal Data Protection necessary to perform the tasks for which the authority was established.

After reconsidering the case, the PUODO once again found that the Company had applied insufficient safeguards in relation to the existing risk of a data protection breach. According to the analysis, the Company did not have adequate risk management procedures and technical safeguards (monitoring of network traffic, encryption of parts of the data, two-factor authentication) at the time the customer data leak occurred. In view of the violations, the PUODO again issued a decision imposing a fine on the Company, raising the amount to PLN 3.8 million.

In response to the PUODO’s decision, the Company issued a statement saying that it disagrees with the decision and intends to appeal it to the administrative court. According to the Company, PUODO again failed to appoint an expert to contribute to the preparation of an objective assessment of the correctness of the personal data safeguards applied in 2018. The Company also pointed out that the safeguards applied in 2018 were carefully selected, in line with market practice and met the requirements of the RODO, and the new penalty imposed by PUODO is arbitrary and unjustified.