Abstract
According to the last reports covering cybersecurity issues, the attacks initiated by malicious insiders were the costliest and the longest to resolve, even though they constitute a clear minority of all data breaches. They pose significant problems in complying with the rules on personal data protection, too. The General Data Protection Regulation (GDPR) does not differentiate the personal data breaches by the source, be it internal or external. Thus, in theory, the obligations of data controllers in the aftermath of personal data breaches caused by malicious insiders and outsiders are the same. However, the breaches caused by malicious insiders are much harder to identify, causing severe problems under the GDPR regarding the distinction between breaches of security and personal data breaches, affecting the notification obligations to data protection authorities and data subjects. This article shows that malicious insider threats are hard to appropriately address under the GDPR, which may expose, on the one hand, controllers and processors to the risk of non-compliance, potentially triggering civil liability and administrative fines, and on the other hand, the data subjects to a high risk to their rights and freedoms they will never be aware of unless such risk materializes and affects them directly. Thus, the author supports the notions for legislation changes that may help to fill the existing gap, provided that they are to be followed by comprehensive amendments regarding the content of notifications of the data subjects and investigation obligations following the information about a possible breach.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call