Last Monday the commercial telephone company The Phone House was the victim of a ransomware attack by a cybercriminal organization that has stolen the personal data of nearly three million company customers.
Among the stolen data are the ID, name and surname, bank account or address. “Some of this data has already been published, while cybercriminals threaten to continue disclosing the personal data of thousands of users if the company does not agree to pay a ransom,” they explain from the online legal advice Legalites.
I am among those affected by the cyberattack and my data has been leaked. Can I claim compensation?
“Article 82 of the RGPD establishes that any person who has suffered material or immaterial (moral) damages as a result of an infringement of the RGPD will have the right to receive compensation from the person responsible or the person in charge of the treatment for the damages suffered”, ensures Legalitas.
In this sense, they clarify that in order to receive compensation, these two assumptions must be met:
That the gap has been consequence of an infringement by the company (for example, not having taken the necessary measures to protect the data), this being the reason that the attack has succeeded.
That there is a ’cause / effect’ between the damage suffered and that violation (for example, that someone is misusing the leaked data, taking actions such as requesting a credit, opening a bank account, contracting supplies or making fraudulent purchases) .
In the event that both previous assumptions are met, these must be exercised through a civil procedure with the help of a lawyer.
What to do if, as a company, you are the victim of a ransomware cyberattack like this
“These types of attacks that affect personal data are called breaches or security breaches” explain the legal experts of the legal department. A security breach is a security incident that affects personal data (ID, bank details, name and surname, mobile, email …).
Regulation (EU) 2016/679, General Data Protection (RGPD) establishes the obligation for organizations (public and private) that act as data controllers to make two types of notifications if they are faced with this situation:
Notify the competent Control Authority (Spanish Agency for Data Protection or regional authorities, where appropriate) of security gaps that may affect the rights and freedoms of people within 72 hours of becoming aware of the breach.
Notify people whose data has been affected, if the damage is serious, so that they can take measures to protect themselves.
While the mere communication to the AEPD having suffered a breach does not imply that it will be sanctioned, the data controller must not only comply with the incident communication procedure and its management, but will also have to demonstrate that he had implemented all the technical and organizational measures necessary to avoid this type of incident, following the principle of proactive responsibility included in the RGPD.
How can I protect myself if I am notified that my data has been leaked?
From the legal portal they report that in the event that they notify you that they have leaked your data, in the case of email you must change the passwords or activate two-step verifications, «we must be especially aware of the emails we receive, in case we Emails from unknown senders will come in asking us to click on a link or download a file »they detail.
If the data affected is our credit card, especially if the data has also been filtered CVV, the most advisable thing is to contact our bank and request its blocking. “As for our bank account, it is also important to notify our entity and be very aware of any suspicious charges, also presenting the corresponding complaint” conclude from Legalitas.