Controller's liability for hacker's attack according to the Court of Justice of the EU (part I.)

Each of us can become victim to a hacker attack. However, the fulfillment of remediation, notification and documentation obligations under the GDPR doesn´t mean the end of the case itself. What usually follows is the establishment of liability. Although during this process, the courts will work with classic legal instruments, their application may get complicated by a still relatively new legal regulation for the courts - GDPR. In a series of blogs, we will follow Case C-340/21 before the CJEU, which may develop this area further.

We will try to simplify the preliminary questions to be answered by the CJEU in the upcoming months in Case C-340/21 as follows:

1. Does any data compromise as a result of a hacker attack automatically mean that the controller has not adopted appropriate security measures in accordance with Art. 24 and 32 GDPR?

2. What should be examined by courts when determining whether security measures taken under Art. 32 GDPR were adequate?

3. If the controller is sued by the data subject for non-material damage, who bears the burden of proof that the security measures have (not) been proportionate? Can an expert opinion be sufficient evidence to determine the adequacy of the security measures taken?

4. Is a "hacker attack" an incident for which the controller bears no responsibility under Art. 82 par. 3 GDPR?

5. Does the term "non-material damage" also cover the data subject's worries, concerns and fears of possible future misuse of personal data, even if they have not yet been misused?

What happened in this case?

In 2019, sensitive financial information of more than 6 million citizens leaked out of the Bulgarian tax office. The leaked information mainly concerned tax returns, social security contributions, payments to health insurance and it also included names, surnames, telephone numbers, email addresses, data on fines, arrears, taxes, refunds, etc. The scope, but also the sensitivity of an incident was therefore enormous. The tax office reported the breach of personal data protection to the supervisory authority as well as to law enforcement authorities and allowed the data subjects to find out whether their data had also leaked.

It can therefore be assumed that the tax office proceeded in the management of the incident in accordance with Art. 33 and 34 GDPR. The tax office was fined for violating Art. 32 GDPR, i.e., breach of the obligation to implement appropriate security measures.

Afterwards, the concerned data subjects brought hundreds of claims for non-material damage. The Bulgarian national courts allegedly did not rule consistently in these cases. In this present case, which gave rise to the reference for a preliminary ruling, there was unauthorized access to the applicant's data (her data leaked), however, since there was no misuse of them, the applicant's claims was dismissed. Criminal proceedings have been brought against hackers, but they have not been convicted to date and it is not even clear whether their identity have been established.

Why did the court dismiss the claim for non-material damage?

The tax office claimed that they have been the victim of a hacker attack by persons acting in bad faith and therefore they were not responsible for the non-material damage. The national court confirmed that the controller does not have absolute obligation to prevent any unauthorized access to the data. The national court argued, in essence, that the applicant did not bear her burden of proof that the security measures adopted by the tax office were inadequate. According to the court, the applicant should have clarified what technical measures the tax office was required to adopt - but did not - and which consequently led to the hacker attack. At the same time, the court did not recognize that the survived psychological burden due to the fear of possible misuse of leaked data (which did not occur) could represent non-material damage. The data subject appealed against the judgment at first instance and the matter is now being decided by the Supreme Administrative Court, which has referred to the CJEU.

Does a hacker attack automatically mean violation according to Art. 32 GDPR?

We don't think so. The principle of integrity and confidentiality, which is translated into the obligation to take appropriate security measures under Art. 32 GDPR is not absolute. Controllers cannot be expected to guarantee absolute security and protect data from any hacker attack. This is not even objectively possible. Therefore, not every data protection breach as a result of a successful hacker attack automatically means that security measures were not appropriate. The GDPR protects responsible controllers who have actually made all reasonable efforts to protect their data, but have failed to do so, for example, because the attack was too sophisticated to be prevented by a particular controller. It does no harm to recall the wording of Art. 32 GDPR:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”

There is no table which would be universally accepted by supervisory authorities to calculate whether specific measures by a particular controller are appropriate, although some quantitative methods of risk analysis led to arithmetic recalculations in order to capture these variables more accurately. Any court's assessment of whether a given measure is appropriate must be made on the balance of conflicting arguments and under the weight of the circumstances of the particular case. In practice, it seems to us that first step of supervisory authorities is to distinguish, whether it is the case of:

A.     Absolute failure: A security incident could have been easily prevented by taking a routine measure which in fact was absent, was not properly implemented, or was incorrectly applied; or

B.     Sophisticated attack that exploits yet unknown vulnerabilities: either it is still not entirely clear how the attack was carried out or it is already known, but it is still a highly sophisticated attack and the exact way of its realization the controller could not anticipate in advance while maintaining risk management expertise and react to it preventively (perhaps also due to the fact that such measures will not exist at the time with regard to the state of the art, or measures which are used already will not work properly as expected).

According to this introductory analysis, procedural tactics, verification of information and the way in which further evidence is obtained, are usually adapted in proceedings before the supervisory authorities. Historically, most cases that the Slovak DPA dealt with when fining Art. 32 GDPRs fell under the simpler cases of absolute failure. However, this no longer applies today. Currently, almost all supervisory authorities have special cybersecurity departments dealing with Article. 24 or 32 GDPR violations and assessing the adequacy of security measures. The Slovak DPA has its own department of information security and certifications, which often comes with the inspection team or directly deals with the controller for example after breach notifications under Art. 33 GDPR.

For illustration, we list some foreign as well as Slovak cases that deal with personal data security:

British Airways (United Kingdom)

FINE: EUR 26 million

EXACT VIOLATION OF ART. 32 GDPR:

• Inability to identify data breach of large proportions with its own security measures;

• Non-adopting of adequate countermeasures that could have prevented the hacker attack to be successful, such as 2FA at its own user accounts, hardening, testing of its own systems, penetration tests.  

Marriot International (United Kingdom)

FINE: EUR 20,7 million

EXACT VIOLATION OF ART. 32 GDPR:

• Inability to identify (for number of years) that the system is compromised heavily by an outside attacker who was scraping personal data databases;

• Insufficient monitoring of the privileged user accounts and its activities;   

• Weak oversight of critical systems;

• Insufficient encryption of sensitive data (credit card numbers, passports)

Uitvoeringsinstituut Werknemersverzekeringen (UWV) (Netherlands)

FINE: EUR 450,000

EXACT VIOLATION OF ART. 32 GDPR:

• Insufficient management of electronic inbox;

• Insufficient management of access rights towards processed personal data;

• No processes to evaluate or internally check of implemented security measures.

BraBank (Norway)

FINE: EUR 40,000

EXACT VIOLATION OF ART. 32 GDPR:

• No risk analysis before adoption of the security measures;

• No testing of the bank application before going live with clients.

Mermaid Charity (United Kingdom)

FINE: EUR 30,000

EXACT VIOLATION OF ART. 32 GDPR:

• Conceptually negligent approach towards overall IT security;

• Non-adoption of any security policies or training of its own personnel;

• No encryption or pseudonymization of sensitive personal data;

• No access rights management towards email conversation group in which sensitive personal data were accessible.

Private company (Slovakia)

FINE: EUR 2,300

EXACT VIOLATION OF ART. 32 GDPR:

• No continuous and regulator evaluation of the adopted security measures

• Conflicts between declared security state and actual instructions towards employees.

Private company (Slovakia)

FINE: EUR 1,000

EXACT VIOLATION OF ART. 32 GDPR:

• Not appropriate location and protection of monitors showing CCTV export towards non-authorized persons.

Hospital (Slovakia)

FINE: No fine

EXACT VIOLATION OF ART. 32 GDPR:

• No violation was concluded;

• Breach of confidentiality of the health worker who forwarded health patient data via WhatsApp towards non-authorized 3rd person without having any justification for accessing such data (employee was identified via logging);

• Illegal action of the employee was in breach of controller’s instructions;

• Controller relied on employee’s liability for damage including financial identification within the limits of the employment rules.

For completeness, in the last case (hospital) the violation of Art. 33 GDPR was not concluded or fined. Despite adopting appropriate security measures the security was breached due to the employee's excess. The controller's liability under Art. 32 GDPR is therefore not absolute. It is given that there will always exist cases which will be hard to categorise to some of these groups. This way we get to the central point of determining whether security measures are appropriate, being the risk analysis.

After identifying the risk, its analysis and evaluation, we consider as necessary that the outputs of each risk analysis include measures which intend to eliminate or minimize the identified risks. On the other hand, the output should also embrace all treated risks, including residual risks, which have not been completely eliminated by the adoption of safety measures and which are accepted. There are many methodologies for performing risk analysis at the level of managerial decision-making, management of operational, environmental, health and safety risks (e.g. ISO 31000, ISO 31010), or at the level of information security management (eg ISO 27005). We believe that it is the controller, who decides about specific way of performing the analysis, but § 78 par. 11 of the Data Protection Act encourages the appropriate adoption of security measures in accordance with (undefined) international security norms and standards.

If the controller demonstrates to the supervisory authority such risk analyzes that documents the actual measures taken in a correct manner and at the same time there are elements directly identified with a successful sophisticated cyber attack between the treated and accepted risks, will be the controller then objectively responsible for violating Art. 32 GDPR?

During the retrospective assessment whether the security measures were appropriatate, it is also questionable if the final negative impact or scope of the personal data breach that ultimately resulted from the hacker attack should also be considered. This case also illustrates that the enormous scale and negative impact of this incident automatically leads to the conclusion of an absolute failure. However, the opposite interpretation may still apply, according to this interpretation the controller may have been the victim of such a sophisticated hacking attack that it is simply not possible to prevented it by taking any measures of which controller could or should have been aware at the time of their adoption. We cannot assess this question and probably also the Court of Justice of the EU will not judge it on merits. The court should only explain the general rule. However, if the general rule is applied - that not every hacker attack automatically means a violation of Art. 32 GDPR, then such an interpretation must apply regardless of the actual damage that the attacks may cause to the data subject or. victims, although this may seem to be unfair at first sight, especially if it is not possible to identify the attacker.

What is the role of courts in assessing the adequacy of security measures?

The Bulgarian court asks what is the subject matter and scope of judicial review in relation to the adequacy of the security measures, if Art. 32 GDPR leaves the controller room for discretion and a subjective assessment of that adequacy. In other words, whether the court should "get its hands dirty" and undergo the risk analysis of the measures taken and examine their correctness and adequacy in terms of objective merits. Why do we think this question is surprising?

In our opinion, it is not sustainable for courts to lose the power to decide on the merits of the adequacy of specific security measures. The subject matter and scope of judicial review should be the same for courts as for supervisory authorities. Otherwise, the decisions of the supervisory authorities on the violation of Art. 32 GDPR cannot be examined by courts, which would in fact restrict the right to a fair trial. The same conclusion applies to the decisions of (highly qualified) security / cyber-security authorities.

Definitely, it will be difficult for the courts to consider and decide similar matters. However, the adversarial nature of civil proceedings allows courts to hear the arguments of both parties and to reach a conclusion based on an assessment of all available information. The argument that a judge is not a security risk analyst cannot be an obstacle to court examination. Courts must be able to reach a decision in such demanding cases as in the case of any other false expert assessment of the facts in other cases (e.g. industrial accidents, patent litigation or medical litigation).

Does the principle of accountability change the burden of proof in private law disputes?  

The principle of accountability under Art. 5 par. 2 GDPR requires the controller to be able to demonstrate compliance with the basic principles under Art. 5(1) GDPR. However, we have always maintained that it is necessary to distinguish the principle of accountability of the controller from the burden of proof by the supervisory authority if a breach of the GDPR is being established in administrative proceedings. In our view, the principle of accountability does not mean that there is a breach of the GDPR whenever the controller cannot prove otherwise. There is a breach of the GDPR only if the supervisory authority can prove and substantiate it. However, this applies to the administrative proceedings and subsequent administrative punishment, which has a certain analogy with criminal proceedings.

But what about a purely private-law dispute over non-material damage to an injured data subject whose data have been compromised as a result of a successful hacker attack? In order to be successfull with this claim, it is required to first prove that there has been a breach of the obligation under Art. 32 GDPR. Who, then, has a duty to bear the burden of proof and to prove whether there has been a breach of that duty? Claimant – data subject or defendant - controller?

If we follow the (Slovak) Civil Procedure Code, the general rule is that the claimant must be able to prove his claims. Similarly, the Bulgarian national court describes the national law according to which each party to the action is required to provide evidence of the facts from which it derives its claims or objections. Therefore the starting point and premise is that: the claimant (the injured data subject) would have to be able to prove even before the Slovak court, that the security measures taken were not adequate.

However, this may not apply absolutely. Slovak case law also allows the use of the so-called the defendant's duty to explain as well as reversal of the burden of proof.

According to the often cited judgment of the Supreme Court of the Slovak Republic of 11 April 2017, file no. zn. 3 Cdo 2/2016:

„The burden of proving certain facts is carried by that party, which derives favorable legal consequences from the existence of those facts; it is the participant who also claims the existence of these facts. However, in some cases, the party burdened with the burden of proof does not objectively have and cannot have information on the facts relevant to the decision in the dispute, however this information is available to the other party. In case that the party burdened with the burden of proof presents at least "substantive points" of the facts and thus increases the probability of its factual allegations, the "explanatory duty" of the counterparty arise. Failure to comply with this obligation will result in an assessment of the evidence against the party who failed to comply with the "explanatory duty". At the same time, that 'obligation to explain' cannot be confused with reversing the burden of proof.”

At the same time, there are also known disputes where the courts have shifted the burden of proof from the plaintiff to the defendant. These are most often cases where the plaintiff would have to prove the real non-existence of a certain fact (that something does not exist or that something has not happened), what is generally objectively impossible. According to the judgment of the Regional Court in Košice, file no. zn. 3Cob / 112/2014 of 25/11/2015:

"In litigation, the so-called a negative evidence theory based on the fact that a participant cannot be fairly required to prove the real absence of a particular legal fact (eg a claim that the defendant has not paid), as a result of which the burden of proof is shifted to the defendant."

Let's imagine a situation where a data subject whose data has been leaked because of a hacker attack is formulating a claim for non-material damage, and for now let's put aside the issue of actual damage. We would likely need to consider the following:

• Does the data subject even know what security measures have been adopted by the controller? Can the data subject request this information from the controller, for example, via the info law?

• Is it possible for the data subject to prove that the controller's security measures were not adequate?

• May the adopted security measures be considered as a fact protected by law which the data subject cannot get acquainted with without a security clearance?

• Is it in the public interest that real security measures should not be available to anyone?

• Does the data subject have available a possible decision of the supervisory authority stating a violation of Art. 32 GDPR? Was the data subject a party to the proceedings?

• Does the data subject have sufficient information on the breach directly from the controller as a result of the fulfillment of his notification obligation according to Art. 34 GDPR?

• Does the data subject have any legal possibility to entrust an external expert with an audit of the controller?

In cases where answers to these questions are negative and at the same time the identity of the hacker is not known, the data subject is practically unable to bear the burden of proof in claiming that the controller has violated Art. 32 GDPR - no matter the scope of damage or harm caused to the data subject.

It therefore seems to us that in similar cases the court must approach the burden of proof differently (from a general rule described above). However, we are not sure whether such conclusion should result directly from the principle of accountability or whether the principle of accountability or any other provision of the GDPR should even have any effect on such conclusion. There may rise situations where the violation of Art. 32 GDPR is so evident that there is no dispute between the parties (e.g. cases of absolute failure above), where it is not necessary to turn the burden of proof on the controller and the data subject could bear it. Both situations can also arise in a dispute between two legal entities, which justifies the conclusion that the answer should not be affected by the status of the data subject as a weaker party.

We will follow this case before the CJEU further. In next blogs we focus on remaining prejudicial questions.

Jakub Berthoty & Ondrej Zimen

Dagital Legal, s.r.o.