When an employment agency falls victim to a cyberattack
Responding appropriate to a data breach is one of the fundamental duties of data controllers under the EU’s General Data Protection Regulation (GDPR). But practice shows that complying with these duties often poses major problems for data controllers, including when the breach occurs in an employment context. These difficulties include in particular assessing:
- Whether a breach has occurred
- The risk associated with the breach
- What legal duties are imposed on the data controller in relation to the breach
- What measures should be implemented in connection with the breach.
This is the first in a series of articles in which we will present examples of data breaches in the employment context.
Drawing on Guidelines 01/2021 on Examples regarding Personal Data Breach Notification adopted on 14 December 2021 (version 2.0), issued by the European Data Protection Board (EDPB), we will focus on key aspects from the perspective of Polish employers which may help data controllers comply with their obligations in the event of a data breach.
Data protection breach—definition and general duties
Under the GDPR, a “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
In the event of a breach, the data controller must take certain actions, depending on the level of risk associated with the breach:
- If the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the controller is not required to notify the breach to the data protection authority. Nonetheless, the controller is required to document the breach internally, including the facts relating to the breach, its effects and the remedial action taken.
- If the breach is likely to result in a risk to the rights and freedoms of natural persons, the controller must notify the supervisory authority of the breach, and also internally document the breach, including the facts relating to the breach, its effects and the remedial action taken.
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must not only notify the breach to the supervisory authority, but must also communicate the personal data breach to the affected data subjects. Again, the controller must internally document the breach with the related facts, effects, and remedial action taken.
As may be seen, regardless of the risk level, the data controller must always document the occurrence of the breach internally and the remedial actions taken. Thus we focus below only on the determination of whether it is necessary to notify the supervisory authority or the data subjects of the breach.
As these obligations are correlated with the degree of risk arising from the breach, it is key for the controller assessing the breach to follow a methodology enabling the controller to justify its decision on the further measures to be taken in connection with the breach. This analysis should be conducted from the perspective of the risks to data subjects associated with the breach—not the risks to the controller (e.g. financial, business or reputational risk).
The methodology set forth by the European Union Agency for Network and Information Security (ENISA) in its report “Recommendations for a methodology of the assessment of severity of personal data breaches” may be helpful in this respect. In practice, in the event of notification of a breach, the regulator will often verify whether the data controller made an assessment of the risk to the data subjects affected by the breach. Data controllers should thus remember to conduct and document this assessment.
If a breach occurs, the controller should also implement remedial measures, including when appropriate measures to minimise potential negative impacts of the breach and reduce the risk of occurrence of similar incidents in the future. As in the case of assessment of the risk in connection with a breach, the authority will often verify whether the controller took the remedial measures it claimed in its notification. Thus the importance of implementing and documenting the remedial measures.
Example 1. Exfiltration of job application data from a website
An employment agency was the victim of a cyberattack which placed a malicious code on its website. The code made personal information submitted through online job application forms and stored on the webserver accessible to unauthorised persons. A total of 213 such forms were possibly affected, but after analysing the affected data it was determined that no special categories of data were affected in the breach. The particular malware toolkit installed had functionalities that allowed the attacker to remove any history of exfiltration and also allowed processing on the server to be monitored, and personal data captured. The toolkit was discovered only a month after its installation. (Guidelines p. 15)
Assessment of risk to data subjects
In this example, in the opinion of the EDPB, there was a data breach causing a high risk of infringement of the job candidates’ rights and freedoms. Thus the agency must report the breach not only to the supervisory authority, but also to the candidates.
As stated in the Guidelines with respect to this example, “Though no special categories of personal data were affected, the accessed data contains considerable information about the individuals from the online forms, and such data could be misused in a number of ways (targeting with unsolicited marketing, identity theft, etc), so the severity of the consequences should increase the risk to the rights and freedoms of the data subjects.”
Polish perspective on the example
If such a breach occurred at a Polish employment agency, this conclusion by the EDPB could also be regarded as warranted, that is, the agency would have to notify the breach to the data authority (the President of the Personal Data Protection Office—PUODO) and also to the candidates (regardless of their number) whose data were affected. Any change in the circumstances would have some impact on the risk level. Thus before taking notification steps, the data controller should analyse factors such as what specific data were disclosed.
In the case of persons who included information in their job applications such as their personal identity number (PESEL) or health information, the risk would be higher, which could affect for example the wording of the notice to the data subjects, particularly the actions they are recommended to take.
Even in the case of persons who included only routine data in their applications, it would be hard to determine unequivocally that there is not a high risk of infringement of their rights and freedoms (e.g. if their data were published and their current employer learned that they applied for another job on a given date). Importantly, if the controller has doubts about the level of risk from a data breach, it should take a precautionary approach.
If a Polish employer were directly hit by a similar breach, e.g. exfiltration of job applications filed through an electronic recruitment platform used by the employer, the employer could also be required to notify the breach to PUODO and the candidates (regardless of number) whose data were affected by the breach.
The case would be similar if the breach involved not only job applications, but also employee documentation—but in light of the broader scope of personal data, such as PESEL numbers, the risk level could be even higher.
Remedial measures
In the view of the EDPB, following such a breach the following measures should be taken to minimise the impacts and the risk of similar breaches in the future (Guidelines pp. 18–19):
- Compare the database with a secure backup copy to determine whether data were altered
- Update the IT infrastructure, drawing on the experiences from the breach
- Return all affected IT systems to a known clean state
- Remedy the vulnerability and implement new security measures to avoid similar data breaches in the future, e.g. file integrity checks and security audits.
If the breach involved employee documentation within the meaning of Polish labour law stored in electronic form in an IT system, then updating the risk analysis and assessment of security measures could also be indicated, in order to comply with the obligations arising under §10(2) of the Regulation of the Minister of Family, Labour and Social Policy of 10 December 2018 on Employee Documentation.
Karolina Romanowska, Łukasz Rutkowski