photo
17.10.2024

Data protection and state security - conclusions after the seminar of the Polish SA and the ZUS

On 7 October, a seminar on ‘Data protection as an element of the resilience of society and the state’ was held at the Social Insurance Institution Headquarters in Warsaw. During the meeting, the Personal Data Protection Office and the Social Insurance Institution, in cooperation with the Social Team of Experts by the President of the Personal Data Protection Office, presented trends and directions applicable to the protection of personal data as an element of the resilience of society and the state.

Topics covered at the event included new types of cyber-attacks, the impact of warfare on the number of data protection breaches or new methods of phishing and social engineering attacks in the context of Russia's aggression against Ukraine and the conflict in the Middle East.

There is a reason why this conference took place in October - European Cybersecurity Month. It is a campaign organised by ENISA, the European Union Agency for Cybersecurity, at the initiative of the European Commission. Its aim is to popularise knowledge, raise awareness and exchange good practices in the area of cyber security among Internet users, professionals or those involved in the education of children and young people. In this year's edition, special attention was paid to the issue of social engineering - the various methods of social engineering that cybercriminals use to manipulate online scams targeting web users.

The seminar was an opportunity to discuss new trends in the activities of hackers exploiting gaps in the security of systems that process personal data. Participants discussed the privacy challenges posed by new technologies such as artificial intelligence, machine learning and biometric data processing. They discussed the use of personal data leaks to disinform or interfere with democratic processes.

Education is the key

During the event, panellists stressed that data protection must be an integral part of thinking about state security. The weakest link in this chain is always the human being. That is why it is important to build awareness of the risks that we can counteract by doing things such as changing our passwords frequently, checking when someone last logged into our account, being cautious about using company equipment for private purposes or private equipment for business purposes. Educating the youngest, training employees, making the elderly more aware, and introducing the principles of cyber-hygiene - this is the basis through which we will ensure the safe use of electronic devices and modern technologies. Experts also discussed the importance of cyber-security education among employees in public administration and the private sector.

Valuable cooperation

A large part of the meeting was given over to reflections on what public authorities should do to combat cybercrime that violates citizens' privacy. The speakers discussed how the Personal Data Protection Office and the Computer Security Incident Response Teams (CSIRT) can strengthen cooperation on sharing information about threats and data protection breaches, and what specific technical and organisational measures controllers should implement to increase resilience to cyber-attacks.

Cybersecurity is a team effort, requiring not only cooperation between local institutions such as the military or the police and - for example - bigtechs, but also cooperation with European Union institutions and Member States. Legal regulations, such as the NIS2 directive, whose correct implementation has a significant impact on the level of cyber security.

In terms of cooperation, DPOs have an important function as data protection guardians. However, there are some issues related to their work that need to be clarified. With regard to DPOs, attention was drawn to the lack of clarification by the legislator of the criteria for assessing DPOs: how to check their reliability when they are employed by several and more controllers? The need to issue a certificate of no criminal record of the DPO, which was in force under the previous legal regime, was emphasized. It was also noted that positions such as "deputy DPO" or "person replacing the DPO" require clarification of the definition.

Increasing number of attacks

According to Research and Academic Computer Network (NASK) data, the number of personal data protection incidents is growing dramatically. In 2020, 10,000 were recorded, two years later – 38,000, while by September 2024, 80,000 had already been recorded.

Experts have warned against phishing - one of the most popular types of attacks based on e-mail or SMS messages. Cybercriminals pretending to be, among others, courier companies, administrative authorities, telecommunication operators or friends of the victim, try to trick the victim's login data, e.g. for bank accounts, social networking accounts or business systems.

Fraudsters are increasingly focused on data monetisation - taking control of a company's data to blackmail it. If the company does not agree to the thieves' terms, they target the company's customers with their demands.

The aim of online criminals may also be to compromise public institutions.

We are also observing the activities of organised crime groups that set up fictitious shops on popular websites and use them to carry out large-scale fraud.

Need for regulation

The discussion focused on the challenges of implementing new data protection regulations, as well as the practical aspects of information security management in public institutions.

Poland is preparing for the entry into force of the NIS2 Directive (Network and Information Systems Directive 2). This is a very important legal and regulatory document setting general standards for the cyber security of entities critical to the functioning of EU society. NIS2 sets out new security rules for operators of critical services in both the public and private sectors, operating in areas such as energy, banking or healthcare.

The importance of the S46 System, a project of the Research and Academic Computer Network, was discussed, which will contribute to raising the level of cyber security and fighting cyber threats more effectively. The S46 System is understood to be the ICT system listed in Article 46(1) of the National Cyber Security System Act, which supports the activities of the entities listed in the Act.

The role of the Personal Data Protection Office

Konrad Komornicki, Deputy President of the Personal Data Protection Office, in the context of issues related to cyber security and the obligation to report data protection breaches, including incidents of personal data theft, highlighted that the Personal Data Protection Office is currently working on the implementation of a ‘one-stop-shop’ system to simplify the procedure for reporting data protection breaches. The system, he explained, would introduce a single convenient, coordinated point of contact for all breach reports, making it significantly easier for businesses and public institutions to report incidents to the relevant authorities. The Single Point of Contact (SPOC) is a key element of the National Cyber Security System, responsible for ensuring efficient cooperation and information exchange with European Union institutions and other Member States. Its role is to represent Poland in the EU cyber security ecosystem and coordinate cross-border incident response.

The situation where a company has objections to report a breach to the DPA because it wants to avoid a fine due to insufficient safeguards was also discussed.

Next steps

From the perspective of the Personal Data Protection Office, further action should focus on several key aspects:

• improving data protection regulations and procedures in response to dynamic technological changes and cyber threats;

• strengthen cooperation with law enforcement and international partners to respond more effectively to global data breach threats;

• support the development of data protection education programmes among citizens and employees of public institutions, which is key to strengthening the country's overall resilience to cyber threats.

Seminar participants included experts from the Personal Data Protection Office, Social Team of Experts by the President of the Personal Data Protection Office, Social Insurance Institution, the Cyber Defence Forces Component Command (Major General Karol Molenda), the Central Cybercrime Bureau, the National Prosecutor's Office, the Ministry of National Defence, the National Police Headquarters, Techom Sp. z o.o, the Association of Data Protection Officers, Cardinal Stefan Wyszyński University, Research and Academic Computer Network.