[ad_1]
Can there be a risk of fines and damages to clients for this? The practice of European countries shows that it is. Inappropriate and inappropriate use of security measures, leading to the leakage of personal data, generally results in higher or lower fines for supervisors. At the same time, all victims have the right to claim damages.
The EU has already been one of them. Last year, the UK Data Inspectorate (ICO) fined British Airways € 22 million. € good, because in 2018, after the cyberattack, the data of 400 thousand customers were stolen: names, surnames, emails. postal addresses and bank card details. The maximum fine could reach 100 million. €, but due to the economic consequences of COVID-19 for the company, it was significantly reduced.
The EU has already been one of them.
But the company’s problems alone did not end with the fine. The British law firm PGMBM is currently preparing a class action lawsuit worth more than £ 800 million. € 2,000 compensation is requested for each victim (there were 16,000 people in December, it is expected to collect about 40,000). Therefore, a class action lawsuit is likely to occur in Lithuania after the VDAI investigation. Of course, the amount of Lithuanian compensation can be determined mainly by the level of sensitivity of the disseminated data (for example, if there is financial data between them).
You can also remember another ICO fine imposed on the well-known Marriott hotel chain, which received 20.4 million. € fines for a cyber attack of more than € 339 million. consumers around the world. The violation lasted even 4 years, the names, surnames, emails of the clients were stolen. postal addresses, telephone numbers, passport data and other personal data.
So what will determine the amount of compensation in the CityBee case?
First, attention must be paid to the seriousness of the situation. Citybee suggests that this is not a material infringement because payment details were allegedly not leaked. This must be verified in detail by the SDPI during the investigation; it is doubtful that such data was completed in the company’s request, which may mean that, in a legal sense, such data was collected.
You need to address the seriousness of the situation.
At the same time, it is important that victims have received notifications of personal data breaches, and such notifications are only sent when there is a significant risk to the rights and freedoms of individuals. Of course, the company may have only taken these steps as a precaution, but typically, unless there is significant risk, these messages are not delivered. VDAI has also published these recommendations.
Secondly, when evaluating the Lithuanian precedents, it is necessary to remember the incident of the Beauty Clinic, when extremely sensitive health data, photos, medical records, etc. were stolen. However, this happened before the BDAR took effect, so the company avoided higher penalties at the time. Today this would be seen as a very serious infraction and the penalties would likely have been even more severe than they are now in the Citybee situation.
Third, the joint efforts of affected customers are important. Will they be able to properly record the circumstances of the infringement (for example, if customers keep a notice of the infringement from Citybee – an important fact), how and by whom to assess the damage suffered, how to resolve the dispute on the spot – Stage of litigation, or move and judge all the judicial instances of Lithuania?
Affected customers are reminded to take care of the security of their data on a regular basis: update passwords regularly, do not use the same passwords in different accounts and replace such data with at least the most important login details in case of incidents. These preventive actions will cost nothing, but can help avoid negative consequences even when personal data is leaked.
Mantas Baigys is an attorney at Avocad Law Firm.
[ad_2]