Agency of Access to Public Information Resolution No. 2021-146
CIRCULAR
Data Privacy & Data Protection Department report | Agency of Access to Public Information Resolution No. 2021-146
Dear Sir or Madam,
On September 21st, 2021, the Agency of Access to Public Information (“AAPI”), the enforcement authority of the Data Protection Law No. 25,326 (hereinafter, the “DP Law”) decided by means of Resolution No. 2021-146 (the “Resolution”) to impose a fine on an important retail company (the “Company”) in the amount of $290,000 for having incurred in two serious and two very serious infringements to the provisions of the DP Law.
The AAPI initiated an ex officio investigation against the Company, carried out by the National Directorate for the Protection of Personal Data (“Directorate”) of the AAPI, after having become aware of certain public and notorious facts related to a breach that had occurred in the Company’s computer systems in November 2020, triggered as a result of a computer attack known as “Egregor ransomware”, malware that encrypts information.
In this regard, in light of the fact that among the information collected by the attackers there were “movements of purchases and sales of the company”, as well as customer and credit card data, the Directorate considered that such security incident involved the leakage of personal data of Argentine data subjects in their capacity as customers, a situation that would affect the protective principles of the DP Law, in particular, the duties of security and confidentiality of the Company.
It is important to note that the Directorate considered (a) as two serious infringements the fact that the Company had not adopted any of the measures established by Resolution No. 47/2018 of the AAPI, which foresees “recommended” (not mandatory) security measures, to prevent security incidents by design, as well as for incident management, and (b) considered as two very serious infringements the Company’s conduct of not having reported to its customers that they could be victims of personal data leaks due to the security incident suffered in such organization in a first and second opportunity, even though such obligation does not arise directly from the DP Law nor the mentioned Resolution No. 47/2018.
Should you require any further information on this matter, please do not hesitate to contact us.
Sincerely,
Emilio Beccar Varela
Florencia Rosati
Mariana Lamarca Vidal
Martín Beccar Varela
Agustina Pardo