The judgement issued by criminal court no. 6 in Barcelona absolves employee and contemplates penalty for the company, in compliance with the General Data Protection Regulation (GDPR).
We find ourselves in front of a case that will eventually go from unusual to ordinary on a day-to-day basis. The main character of this story is an advanced telecommunications engineer, with expert knowledge on network configuration. Prior to the incident, he worked as a post production technician for Catalonian television channel TV3. He was in charge of the management and configuration of video and audio editing systems.
The affected organization accused the employee of a continued crime of Discovery of Secrets. The subject accessed a total of 80 corporate mail accounts. Said accounts contained documents with employment and payroll data from Catalonian broadcast media corporation CCMA, TV3 and Catalunya Radio.
The main cause of the issue were the insufficient technical and organisational security measures adopted by the corporation. The audit conducted by the organization in 2012 already considered the implemented security measures to be deficient.
There were several reasons for this consideration:
The new GDPR will become a mandatory regulation on the upcoming 25th of May 2018. The IT management responsible will be the one in charge of adopting the necessary technical and organizational measures.
GDPR means organizations will be the only ones responsible in the event of a potential non-allowed intrusion inside their facilities. Official bodies will punish companies for a failure in the adoption of the necessary measures to protect their data. It will be these companies who will respond to affected subjects and European Supervisory Authorities.
The risks organizations face if they do not comply with GDPR are the following:
Since the judgement (available at Sentencia Penal Nº 232/2016, Juzgado de lo Penal de Barcelona, Sección 6, Rec. 117/2016 de 30 de junio 2016) was issued in 2016 and the coming into force of GDPR was still premature (25th May 2018), the Catalonian corporation was not economically punished. However, considering there are still two months to go till its compliance becomes mandatory, fines could go up to €20 million or a 4% of the company’s global anual turnover. Furthermore, the employee could have also requested a direct compensation from the organization.
For all these reasons, R3 CyberSecurity offers the possibility of performing an assessment of the applicable technical and organizational measures for each society. Once it is performed, we will suggest the measures that best fit your company for the achievement of a total compliance.
Silvia López | Legal Advisor at R3 CyberSecurity