June 26, 2022

Volume XII, Number 177

Advertisement
Advertisement

June 24, 2022

Subscribe to Latest Legal News and Analysis

June 23, 2022

Subscribe to Latest Legal News and Analysis

Do email compromises to intercept wire payments require notification under the GDPR?

Possibly, yes. The European Data Protection Board (EDPB) has issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries).

The EDPB addresses a common scenario in which an employee falls victim to social engineering and gives up his or her log-in credentials, enabling a threat actor access to their email account. The EDPB’s examples focus on the threat actor’s desire to intercept a payment transaction to divert funds for financial gain but notes that, in the process, personal data may be exposed. That confidentiality breach of personal information could require notification even though the threat actor’s target likely was not the personal data itself but instead money.

In the EDPB’s example, the threat actor sets up an auto-forwarding rule (a common tactic in such compromises whereby the threat actor has all incoming email forwarded to his personal email account, thus guaranteeing he will continue to receive the target’s emails even if the target changes the account password), which results in name and wage information relating to certain employees being auto-forwarded. The EDPB opines that such a risk would give rise to notification requirements to both the supervisory authority and the data subjects.

However, the EDPB does not address whether a full review of the contents of the mailbox would be required, instead focusing only on the content of what was auto-forwarded.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 71
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jena M. Valdetero Cybersecurity Lawyer Greenberg Traurig Law Firm
Shareholder

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on...

312.456.1025
Advertisement
Advertisement
Advertisement