A thin line between a typo and a data breach: A case study in enhancing data security practices
In the fast-paced landscape of contemporary business, technology has revolutionized the way we communicate, with email emerging as the primary conduit for exchanges. It has become customary for every facet of business communication to traverse the digital realm, leveraging the speed and efficiency afforded by electronic messaging. However, amidst this rapid exchange of information, a subtle yet critical danger lurks— a single keystroke error, a misplaced letter, and sensitive data might inadvertently find its way into the wrong hands. The accelerated nature of email communication with the inherent risks it poses to data protection highlights the delicate balance businesses must strike to stay compliant.
This potential pitfall materialized in recent practice – when a bank sent its client’s personal data to an unintended recipient, bringing forth a noteworthy decision by the Commissioner for Information of Public Importance and Personal Data Protection.
Determining the circumstances of this data breach, the Commissioner found that the bank collected email addresses of its clients based on the consent of the data subject, in accordance with the Article 12, Paragraph 1, Point 1 of the Law on Personal Data Protection. The purpose of such data processing was the fulfillment of rights and obligations arising from contracts with clients, including sending service-related notifications and account statements. Clients, during the account opening process, provided consent for electronic communication via email, where the bank subsequently sent statements. The bank collected email data directly from clients in their presence, verifying the information before the client signs the request, confirming the accuracy of personal and contact details.
However, having analyzed bank’s communication procedures, the Commissioner took a stand that the bank did not provide clients with an adequate level of data security and issued a warning to the bank for violating Article 50 of the Law on Personal Data Protection. In his decision, the Commissioner determined that the bank failed to implement appropriate technical, organizational, and personnel measures to ensure an adequate level of security, especially concerning the risk of unauthorized access to clients' personal data.
As a response to the warning, the bank conducted an analysis of relevant processes. It contacted service providers for the implementation of a verification system (automated verification). The bank introduced a temporary solution allowing clients to update their email addresses with one-time password verification via a mobile application. Additionally, branch employees now verify entered email addresses with clients during the contract negotiation process, ensuring the correct reception of emails containing general terms or other documentation.
This Commissioner's decision, as well as the proactive steps taken by the bank, serve as a valuable lesson for businesses operating in a digital environment, highlighting the need for continuous evaluation and enhancement of data security practices. As technology continues to play a pivotal role in communication and information exchange, data controllers must remain vigilant in adapting their protocols to address evolving threats, ultimately fostering a culture of data security and privacy.
Article provided by INPLP member: Sonja Stojčić (Živković Samardžić, Serbia)
Dr. Tobias Höllwarth (Managing Director INPLP)