The RTVE case
The loss of 6 unencrypted pendrives by the RTVE employee pension plan manager has resulted in a € 60,000 fine from the AEPD.
This security breach, caused by human oversight, was reported on January 25, 2019 by the Data Protection Officer (DPD) himself, as required in these situations.
These devices were without any protection inside a small purse. The data contained belonged to approximately 11,000 people and included data of identification type, personal circumstances, employment details, union membership, health data and criminal offenses or convictions, if any.
As for the number of affected, it is very high since the data of participants in the pension plan dates back to the start date of this in 1995, and the data of the RTVE Census are of all the employees of this, being many of them you also participate in the Pension Plan.
You can consult the resolution of the sanctioning procedure in question at the following link:
The Ambar case
Last November, the news broke that the Ágora brewery in which the Ámbar brand is integrated was a victim of ransomware software in which data from the logistics and commercial section was hijacked.
This attack, which does not have to have been directed directly at the company itself, is the most common way that a company can find itself totally helpless.
Today companies have a large part and dependence on their computer systems, but it seems that care is not taken or given the value that this fundamental part of the production process deserves.
It is very important that the IT service that we have contracted, whether internal or external, implements the preventive and containment measures necessary to avoid these situations.
Could your business recover from one of these mishaps?
This sanctioning procedure has turned out to be a serious problem for RTVE due to the loss of such a volatile item, such as a small wallet containing 6 USB drives. We quote below an excerpt from the linked document:
“The reasons on which the claim is based are that there has been a security breach after the disappearance of removable devices unencrypted from the Office of Attention to the Participant of the Pension Plan (hereinafter OPP) in the Building of Corporación RTVE (hereinafter RTVE) in Prado del Rey, which contained personal data. “
If the necessary measures and fundamental to prevent access to this personal data, the DPO, would not have been forced to initiate the complaint procedures as indicated in the article 33 , before the Data Protection Agency, with the damage that has finally caused them.
Of having used the encryption system, ET-Encrypt included in ET-Security , the loss of these USB devices would not have been necessary to notify the data protection agency and those affected by this security breach, as established in the article 34 of this same law.
This fact would not prevent that if it were the only existing copy of those data, they would have been lost forever. A basic pillar of computing is to have a copy of all data assured.
To safeguard the data in these cases, we have our document management service GDocumentary . It provides both the functionality of storing the data and the possibility of being able to retrieve it at any time. Regardless of our location, we will be able to retrieve and contribute data to document management.
If we do not want to have remote access to the documentation at any time, it is important to note that we must guarantee the durability of the data with which we work. Therefore, our backup system ET-Backup , allows data to be safeguarded in a safe environment, external to our organization and without loss of data in the event of a system failure or external intrusion.
All these services are offered from national territory and within the EU, thus meeting all the requirements of the LOPD and RGPD.
We also want to note that given the fragility of removable USB devices (susceptible to being hit in a more direct way), it is not the best medium to store data of this level of importance.