A Security Force was Punished Based on a Security Incident

An ex-officio investigation pursuant to the Data Protection Act No. 25326 (the “DPL” after its acronym in Spanish) was conducted by the Argentine Agency of Access to Public Information (the ”AAIP” after its acronym in Spanish) after a series of news items appeared in the media stating that the Argentine Police Force was allegedly the victim of a security breach by which 700GB of confidential information that included personal data and profiles from thousands of the people working in the forces, secure copies of emails, recordings of telephone conversations, fingerprints and scanned documents among other confidential files, were leaked.

According to the report submitted by the Federal Police to the AAIP, the security breach may have been caused as the result of the intrusion of hackers through several unofficial email accounts (particularly: Gmail and Hotmail accounts) that were used at some of the Federal Police’s offices to communicate confidential information. Such intrusion on the one hand, may have occurred through a phishing technique, by the use of a hidden malware inside an application posted on the official website of the Federal Police’s Welfare Superintendence (https://supbienestar.gob.ar) that allowed the hackers to decode both the users and passwords of the unofficial email accounts.

The AAIP, after reviewing the case backgrounds and the information submitted by the Federal Police, concluded that the Police Force had failed to adopt precautionary measures to avoid the security breach. Thus, the AAIP questioned the lack of control over the mandatory use of official email accounts, instead of the personal email accounts (that is to say: Gmail and Hotmail) for the communication of confidential information.

On the other hand, the AAIP investigated the reasons behind the existence of the malware on the official website https://supbienestar.gob.ar.According to the reports submitted by the Federal Police to the AAIP, the software used by the Federal Police was exposed to several security vulnerabilities since it did not include  official back up.

Thus, the AAIP determined on the one hand that the Federal Police failed to comply with the provisions pursuant to Section 9 of the DPL, which refers to the obligation to adopt security measures and on the other that Section 10 of the said Act that regulates the confidentiality obligation that must be controlled by the data controller. As a result of these two infringements, the AAIP imposed to the Federal Police two disciplinary measures pursuant to the provisions set by AAIP Rule No. 07/2005.

Furthermore, the AAIP highlighted that the Federal Police failed to comply with “the recommended security measures regarding the processing and storage of personal data base by electronic means” included in the Rule AAIP No. 47/2018.

Even though the AAIP did not fine the Federal Police, on the basis that such penalty would only mean a transfer of funds between two governmental agencies, this case is noteworthy because it provides a new analysis and assessment on the security measures adopted by those in charge of processing personal data.