Lithuanian data protection authority publishes the overview of notifications about personal data protection breaches for 2021

Lithuanian data protection authority (SDPA) published the overview of the notifications about personal data protection breaches for 2021.

Statistics for 2021 of personal data security breaches

  • received 239 notifications about personal data breaches in total;
  • received 9 notifications about breached databases, resulting in 993 570 natural persons or subscribers data leaked during them;
  • the numbers of affected natural persons are impressive – 3 379 123 in Lithuania, 11 969 880 in total;
  • leading causes of breaches – 57 % due to human error, the remaining 43 % caused by other reasons;
  • the most common type of breach with 79% of all breaches resulting in loss of confidentiality (unauthorized access or disclosure of personal data);
  • cyber incidents account for less than half of all personal data breaches recorded in 2021, significantly more for other types of security breaches;
  • most made efforts to report personal data breaches on time, but even 23% of them reported later than 72 hours term;
  • the majority of data controllers who reported personal data breaches were private legal entities (excluding electronic communications service or network providers) and public legal entities (excluding electronic communications service or network providers).

Gaps in managing data security

  • failure to monitor computer network traffic, detect and prevent intrusions;
  • not performing business continuity management;
  • inappropriate server settings and rules;
  • unprotected communications channels, allowing uncyphered data transfers;
  • outdated server operating systems;
  • non-segmented computer networks;
  • access control is not in place.

How to prevent personal data breaches?

As cyber and other kinds of security incidents are on the rise, it is essential to ensure that the applied technical and organizational measures for personal data security are effective and continuously renewed. In its review, the SDPA lists the technical and organizational measures for personal data security that would help to prevent personal data security breaches, i.e.:

  • using an encrypted communication channel for external access to IT resources, i.e., cryptographic protocols (such as TLS / SSL);
  • ensuring regular and immediate implementation of critical operating system security updates;
  • implementing control of SQL queries and network traffic by implementing intrusion detection and prevention tools (e.g., IDS (Intrusion Detection System) / IPS (Intrusion Prevention System), Network Firewall);
  • correctly configure the servers and other equipment involved in external communication following good practices;
  • ensuring the security of websites (e.g., by installing a Web Application Firewall (WAF)); where possible, segmenting computer networks in a way that personal data is not accessible through external communication channels;
  • installing access control following organizations security policy, applying the “need to know” principle;
  • prepare and continuously test the business continuity plan.

Shall note that this list is not exhaustive. In each case, the data controller must evaluate the personal data processed, its scope, context, the purpose of processing, as well as the risks to the rights and freedoms of individuals with varying degrees of probability and severity.

Notification of personal data breach to SDPA

A personal data breach notification must be without undue delay but no later than 72 hours after becoming aware of it. However, the overview provided by the SDPA shows that the obligation to notify about the personal data breach within 72 hours is still not thoroughly followed.

Employee training

Another security measure is ongoing employee training. Employers must ensure that their employees are continuously trained and instructed on what to do in a personal data breach and what the next steps are.

You can review the review published by SDPA here. The study is available in Lithuanian only.

If you need assistance or consultation in personal data protection, please consult our experts at ECOVIS ProventusLaw.

This review was prepared by certified ECOVIS ProventusLaw data protection expert, senior associate Milda Šlekytė

 

 

Newsletter SubscriptionGet in touch