Due to an accidental data breach in mid-February, sensitive employee data from Bankhaus Metzler was passed on unencrypted to a service provider. The institute has confirmed this.
“The employee of the service provider who received the data should also receive it, but encrypted and anonymized,” said Mariella Plessen, press spokeswoman at the bank, when asked by our editorial team. “There is a confidentiality agreement with the service provider.”
According to Plessen, the employee immediately deleted the data in accordance with regulations and reported the incident. The information provided was from last year and had not been forwarded or published again. “The unencrypted and non-anonymized transmission was a human error,” it says officially.
In this situation, the bank apparently acted transparently towards the workforce and informed them immediately about the incident. Isabella Kriegsmann, Head of Human Resources at Bankhaus Metzler, took on this task last Friday. She heads the unit that caused the data protection incident.
According to Finanz-Scene, which first reported on the incident, no employee account details were affected, but numerous other information that the bank manages about those affected.
Accordingly, these included, among other things, dates of birth, organizational assignment, weekly working hours and also details of salary components – such as the basic salary including 14th salary for collective bargaining employees, bonuses, allowances, company car allowance or the total remuneration.
It remains unclear how many of the approximately 800 employees are affected by the data leak. Finanz-Scene reports that it has been learned “that there is a larger group of those affected”.
An incident at the software service provider Datev shows that human resources departments often have to deal with such events. In January, sample invoices were unintentionally sent to third-party clients after a software update, as Heise online reported at the time. The documents “contained names, addresses, social security numbers and of course the earnings data of employees”.
What does HR have to do if the worst comes to the worst?
But how should companies and their human resources departments best behave in the event of a data breach? Labor and data protection lawyer Tobias Neufeld from the law firm Arqis (spelling: ARQIS) recommends in an article from the human resources industry six measures that companies should take into account in the event of a data protection violation:
- Stop the data breach if possible.
- At the same time, corrective measures must be initiated immediately and long-term technical and organizational precautions must be taken to avoid similar incidents in the future.
- Regularly sensitize and train employees.
- Report violations internally to the responsible authorities as quickly as possible and document them in detail.
- Depending on the severity of the violation, it may also be necessary to inform the data subject and the data protection authority.
- Weigh up the risk of harm to those affected; the extent and type of data affected are relevant.
From a purely legal perspective, a data protection breach occurs when data is destroyed, lost or changed – whether unintentionally or unlawfully. The same applies to the unauthorized disclosure of personal data that has been transmitted, stored or otherwise processed, according to the Lower Saxony State Commissioner for Data Protection.
If such a case occurs, “the responsible body must submit a report to the supervisory authorities immediately and, if possible, within 72 hours of becoming aware of the violation, in accordance with Article 33 of the GDPR”. If a report is made later, a justification must be submitted along with the report.
There is only no obligation to report if the violation of the protection of personal data is unlikely to result in any risk to the rights and freedoms of natural persons or will only result in a low risk.
Metzler did that
According to Bankhaus Metzler, they decided to report the incident “immediately to the responsible data protection supervisory authority in Hesse”.
Since it was an individual error, it will be “analyzed very carefully,” which will take some time. The company’s human resources department is carrying out a “forensic and procedural analysis”. In addition, according to Plessen, they want to implement “further protective measures” and strongly sensitize the employees involved in payroll with training.
Tonia Schöler is a volunteer at Human Resources.
