Disruptive Tech Week: Data Breaches & Cybersecurity

@Natalia Soto Kure

What if there is a data breach at a company you work for? How should it be handled?

The discussion was driven by Cristina Sirera, Corporate Group Data Protection Advisor at Colt Technology Services; Daniel López, Partner of Privacy and Data Protection at ECIJA; and Jesús Yáñez, Partner of Security, Risk, and Compliance at ECIJA. They provided insights based on their expertise and demonstrated how easily, and legally, data may be extracted from online sources.

From a legal perspective, there are a variety of reasons for the retention and use of personal data for a specific period of time. There is also a huge amount of data available online which may be extracted and used for other purposes.

A data breach is defined as any violation of data security. It is the destruction, loss, or accidental or unlawful alteration of personal data, or unauthorized disclosure of data. There are various legal measures in place to deal with data breaches and cybersecurity. For example, the European General Data Protection Regulation (GDPR) was approved in April 2016 and will be enforced starting May 25, 2018.

The following are some of the topics, insights, and facts about data breaches and cybersecurity discussed at the conference.

Are Employees Ready to Deal with It? 

What if there is a data breach at a company you work for? How should it be handled? Are there any laws to protect employees?

In 2017, only 17% of large companies in Spain had articulated technical procedures for security breaches. In the case of a data breach, the Notification Control Authority allows 72 hours to report t

he breach, in order to inform other countries and prevent further attacks. Newspapers are permitted to publish information about data breaches without having the responsibility to report the breach to the authorities. It is the company’s responsibility to report a breach.

If someone working at a company reports a breach without the company’s consent, they are protected under the law. Whistleblower protection does not allow the company to fire them.

There are only three conditions under which it would not be necessary to report a data breach:

  • Responsible measures were adopted in case of a breach (encryption of data).
  • The responsible party took steps to make it unlikely for rights and freedoms to be violated.
  • A disproportionate effort was made to handle the situation, such as public communication of the breach.

Reporting of the breach must be done using simple language and must include the DPO  (delegate of data protection), along with the consequences of the breach and the specific data that has been stolen.

Ignorance is not an excuse for failure to report a breach; it is the responsibility of the employees of a company to be up-to-date.

Are Companies Ready to Deal with It?

How are companies protecting themselves from data breaches?

The facts show:

Twenty-five percent of companies continue to use Windows XP, which since 2014 has been unsupported by Windows, meaning it is an “open window” for hackers.

Approximately 30% of employees are involved in activities that may be dangerous to the company’s cybersecurity due to ignorance. For example, finding a USB on the floor and plugging it into a computer. This activity may expose the company to a virus or other digital threats.

Social engineering can be used to collect information and steal identities from employees of a company. Apps that are available for free online legally facilitate this behavior. To demonstrate this, a test was completed where the full name and contact information of the IE Law School brochure editor was extracted from a digital file; it was embedded in the metadata. This activity is legal because the information was available in published digital file.

Apps like Maltigo enable this sort of activity. E-mails, IP addresses, telephone numbers, and other relevant information available online can be easily extracted using this app.