The Bottom Line
- Financial Risk Is Real: Courts are upholding significant fines issued by data protection authorities for what are now considered basic cybersecurity failures. The cost of non-compliance is high and legally enforceable.
- The Security Bar Has Been Raised: Measures like mandatory Two-Factor Authentication (2FA) and strong password policies are no longer just “best practice.” This ruling frames them as a minimum legal requirement for protecting personal data under GDPR.
- “We Got Hacked” Is Not a Defense: Arguing that a breach was caused by a sophisticated external attack will fail if your internal security measures are not up to modern standards. The focus is on the adequacy of your preventative measures, not just the nature of the attack.
The Details
In a decision that serves as a stark warning to businesses across Europe, the District Court of Oost-Brabant has upheld a significant fine imposed by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The case centered on a company that suffered a data breach after an employee’s account was compromised, leading to unauthorized access to a customer database. The regulator fined the company for failing to have adequate security measures in place, a decision the company subsequently challenged in court.
The court’s reasoning provides a crucial insight into the evolving expectations of GDPR compliance. The judgment focused squarely on the company’s failure to implement what the court considers fundamental security controls. Specifically, the company did not enforce Two-Factor Authentication (2FA) for employees accessing sensitive systems remotely, and its password policy was deemed insufficient. The court dismissed the company’s defense that it had other security measures like firewalls, effectively stating that these are irrelevant if the most common point of entry—user credentials—is not properly secured.
This ruling solidifies the interpretation of Article 32 of the GDPR, which requires businesses to implement “appropriate technical and organisational measures” to ensure data security. The key takeaway is that the definition of “appropriate” is not static; it evolves with the threat landscape. The court has now clearly signaled that in today’s environment, failing to mandate 2FA and enforce a strong, complex password policy constitutes a direct violation of this duty. For CEOs and legal counsel, this means that an internal audit of cybersecurity policies is no longer a matter of IT procedure, but a critical legal and financial priority.
Source
Source: Rechtbank Oost-Brabant
