Security breaches in companies

The Supreme Court delimits the liability of companies in the event of security breaches

The High Court establishes and limits the duty of diligence, and the control of the effectiveness of security policies.

The publication of the recent ruling issued by the Supreme Court, Ruling No. 188/2022, of February 15 (JUR/2022/78935), has been received with great expectation, given the influence that its content and pronouncements may have on the future criteria to be adopted by the Data Protection Agency (AEPD) and the National Court on security breaches.

The uncertainty generated in different positions of the AEPD, has meant that the employer who scrupulously complies with the regulations, who has adopted periodic controls and applies the technical and organizational security measures according to the risk, in the face of circumstances beyond his control that could cause a security breach, could suffer a damaging result and therefore the imposition of a very significant penalty.

The Court confirms a penalty of 40,000 € imposed by the Data Protection Agency on a company distributing telephone products, as responsible for a serious infringement, which was in turn confirmed by the National Court, and more importantly, goes into depth to analyze the merits of the legal issue raised, reasoning whether the security measures are an obligation of means or an obligation of result.

• In the obligation of result, the company is liable for a harmful result due to the failure of the security system, regardless of the cause and the diligence used. In the obligation of means it is sufficient to establish technically adequate measures and implement them with reasonable diligence in accordance with the technology available at any given time.

The Court in its Legal Grounds (Third, Fourth and Fifth), establishes a series of considerations and pronouncements of great practical and legal significance, which we highlight in the following document, as well as the conclusions:

In conclusion, as can be interpreted from this resolution, risks are spreading among different businesses and technologies, forcing companies to go one step ahead, rethinking current technologies and implementing diligent, agile approaches that understand security from a living and changing perspective, not relying on static and established security paradigms.