Company fined as a consequence of a data breach
By Mariano Peruzzotti and Valentina González Medina.
On September 17, 2021, the Agency for Access to Public Information (“AAPI”), controlling authority of Personal Data Protection Law No. 25,326 (“PDPL”), sanctioned Cencosud SA for violating the provisions of the data protection legal framework as a consequence of a security incident.
The AAPI became aware of a data breach that affected the systems of Cencosud, a multinational conglomerate that operates in Argentina through the companies Jumbo, Easy, Vea and Disco Supermarkets, in November 2020. The security incident was triggered by a computer attack known as “Egregor ransomware”, a malware that encrypts information.
The National Directorate for the Protection of Personal Data (“NDPPD”), a governmental body within the administrative structure of the AAIP, considered that said security incident could involve the leakage of Argentine data subjects’ personal data, thus affecting the protective principles of the PDPL as well as the security and confidentiality duties in charge of Cencosud. Consequently, the NDPPD requested the company to provide information about the incident.
The defenses filed by Cencosud were considered insufficient. The NDPPD determined that neither preventive measures nor corrective measures to minimize its impact or to prevent future violations were properly taken. Also, it highlighted the fact that after the NDPPD’s request sent to the company some users received fraudulent emails under a “phishing” scheme.
Therefore, the NDPPD sanctioned the company for the commission of the following infringements:
- Failure to take the technical and organizational preventive measures necessary to guarantee the security of the information, which constitutes a serious infringement pursuant to AAIP’s Rule No. 7/2005.
- Failure to take the necessary technical and organizational corrective measures to guarantee the security duty within the organization, which constitutes a serious infringement.
- Failure to report the clients that they could be affected by personal data leaks due to the security incident at the first opportunity, which constitutes a very serious infringement.
- Failure to report their clients that they could be affected by fraudulent emails under a “phishing” scheme as a consequence of the security incident suffered by the organization on a second occasion, which constitutes a very serious infringement.
Consequently, the AAPI imposed Cencosud a fine of Argentine Pesos 290,000 (approximately USD 2,938 at the current official exchange rate) for committing the above-mentioned infringements.
To reach this conclusion, the AAIP took into consideration the following aspects:
- The company did not adopt any of the security measures provided for in AAPI’s Resolution No. 47/2018 to prevent security incidents by design or those concerning incident management.
- Both incidents (the ransomware attack and the subsequent data leak resulting from the fraudulent emails sent to Cencosud’s clients) exposed the data subjects’ personal information twice.
- Cencosud, as data controller, should have proactively reported affected users about the incident allowing them to take preventive measures to avoid possible illegal maneuvers and/or exercise their rights under the PDPL if they considered convenient. The notification duty, which is not provided for in the PDPL, is nevertheless contemplated in the Standards for Data Protection approved by the Ibero-American Data Protection Network or the updated Principles of the Inter-American Legal Committee on Privacy and Personal Data Protection.
- Pursuant to Resolution No. 47/2018 security measures must be adopted by organizations within the context of the accountability principle considering “the organic structure that best suits its interests and operation”.
For further information contact: mperuzzotti@ojambf.com.
