/nginx/o/2024/04/04/15983340t1h33c7.jpg)
On Thursday, nearly 700,000 customers of Apotheka, Apotheka Beauty and PetCity received a very unpleasant email. The email said that customers' personal data, including personal identification codes, email addresses, phone numbers, and in some cases home addresses, had been stolen and are now in the possession of cyber criminals.
The consolation is that, save for a few exceptions, no information about the medicines purchased by the persons fell prey to criminals. However, the same email says with ruthless bluntness: «The names of other pharmacy products are visible in the purchase history, which may also provide information about your medical condition.»
This means that the criminals may not know what illnesses you suffer from, but now they know exactly what type of condoms you prefer or how often you buy lubricant from a pharmacy.
But let's be honest – this email is still very pleasant compared to the emails you might receive in the future. Every day, someone in Estonia falls victim to cyber criminals, and every year our people are defrauded out of millions of euros.
Therefore, stolen data can easily become stolen money. Pille Lehis, director general of the Data Protection Inspectorate, said to Postimees when commenting on the Apotheka case that «data has become the most valuable currency that people have.»
And from here arises the justified question: what is the responsibility of companies in keeping this currency?
Corporate liability can be at least of three kinds. One is bureaucratic, which means fines if companies fail to comply with the Personal Data Protection Act. The second is judicial, where victims seek compensation through the courts. And the third is economic, when a company's customers leave en masse.
This another interim win for cybercriminals serves as a reminder to us that relying solely on Europe is not enough. We must make more effort ourselves because, unfortunately, cybercriminals do not wait.
The logic of the market economy says that most of all there is reason to rely on the last, and least on the first. Judicial liability could also work, but based on current case law, there are no prerequisites for this in Estonia.
The fear of losing customers is a very strong economic motivator, but in the case of Estonia, it is reduced by the small size of our market and the resulting limits on competition. If customers don't have many options, it won't work.
We can also put our hopes on the owners of the currency, i.e. the people, to think three times before handing over their data. Only – how do we hope to convince people of this if we are not able to warn them about massive cyber scams?
It's convenient to criticize the European Union along with its bureaucracy, but at least now every internet user knows that companies use their data and anyone can opt out if they wish. Additionally, the European Court of Justice has found that if, as a result of a data leak, a person fears that their data may be abused in the future, this may provide grounds for claiming moral damages.
This another interim win for cybercriminals serves as a reminder to us that relying solely on Europe is not enough. We must make more effort ourselves because, unfortunately, cybercriminals do not wait.