POLISH DPA FINES ID FINANCE POLAND PLN 1M FOR INSUFFICIENT TECHNICAL AND ORGANISATIONAL MEASURES
Polish DPA (“UODO”) announced its decision to fine ID Finance Poland PLN 1 million (approx. €250,000) for its failure to implement adequate technical and organisational measures to ensure the security of data.
UODO noted that the company had not replied to signs of security gaps and that the data on the company's server was subsequently copied and removed by an unauthorized individual asking for a ransom. In addition to this, UODO had established that the violation had occurred following an unsuccessful attempt to restore an acceptable security configuration and that the controller had failed to exercise due diligence with respect to its security systems and its processor, despite being informed of the vulnerability by cybersecurity specialists.
Moreover, the UODO noted that controllers should be able to identify breaches quickly and effectively to take appropriate action as well as investigate the incident and take appropriate remedial action. The UODO highlighted that the lack of a quick response by the processor would not minimize the liability of the controller for the data breach and that the scale of the breach and the delay of the controller in taking effective remedial action were considered in the calculation of the fine, among others.
You can read the EU Commission’s announcement here.
You can read the full decision in Polish here.