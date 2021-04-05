- Advertisement -

- Advertisement -

- Advertisement -

- Advertisement -

Currently suffering a cyberattack is very common. Not even the big tech companies are exempt from it. However, some of those cases may incur fines from the Data Protection Agency. Being doubly complicated for the victims, in this case for the companies.

Which means that not only do they have to pay a ransom for the information that cybercriminals have hijacked, but they can also end up fined.

How is this possible?

In the first instance, whether a system is compromised will depend on its security. Therefore, if the company has not taken the appropriate measures to prevent and avoid the theft of information stored on its servers, it may end up being sanctioned. In addition to this, if you do not communicate in less than 72 hours that you have been the victim of a computer attack, it can be considered a reason for sanction.

“The agency asks you to tell it what happened and how you are paralyzing the attack, and then extensions are made to that information as more data becomes available,” explains Johanna Álvarez, legal representative of the cybersecurity company Áudea. Thus, a firm incurs a penalty for not communicating the attack and when it does not take adequate measures to prevent it, even when it has the capacity to do so.

Air Europa received a fine of 600 thousand euros for suffering a cyber attack

The Air Europa agency is one of the few companies that has been fined for suffering a cyberattack. And it is that the company notified 41 days after the fact that it had been a victim of cybercrime. Why? The reasons are unknown.

Also, the investigation process revealed that their cybersecurity measures were not the most adequate to protect the security of their servers. This gave rise to a double sanction, of 100,000 and 500,000 euros for each violated rule of the Spanish Agency for Data Protection (AEPD).

Communicate GDPR Gap

The AEPD is not limited to sanctioning companies that incur failures, it has made available the “Communicate GDPR Gap” tool. It is a web portal in which any company can upload and explain how the attack occurred. This includes the modality used by hackers, either through ransomware, pishing, internal or external origin. As well as the affected people and the status of vulnerability.

Although these organizations are not obliged to provide this data, they must do so if the attack affects the rights and freedoms of the people involved in the incident.

Read also:

Europol arrests cybercriminals who robbed celebrities

.