Bulgaria’s MPs approved on February 20 the report of the ad hoc committee tasked with investigating the circumstances that led to the data breach at the National Revenue Agency (NRA), which resulted in the personal data of about 4.1 million taxpayers being stolen last year.
The report made a number of recommendations, including an audit of all central and local government IT systems, “prioritised according to the amount of personal data and potential risk”, as well pursuing legislative changes that would more comprehensively define cybercrimes in the Penal Code and stipulate harsher punishments, which currently include fines and a maximum prison term of three years.
To the NRA specifically, the report urged the agency “to take into account” the recommendations made by the personal data protection commission in its own investigation in August 2019. The commission levied a fine of 5.1 million leva against the agency for its failures to prevent the data leak, but the NRA is appealing the fine.
Further, the report recommended that the agency fully implement the existing network security regulations and carries out systems vulnerability tests at least once a year.
Some of the report’s suggestions had a wishful nature – namely that central and local governments allocated more efforts and funding to hiring IT personnel, as well as introducing mandatory training for personal data protection. State authorities were also urged to pay “serious attention” and implement “strict controls” when building new databases with personal data “find a balance” between offering e-government services and ensuring cybersecurity.
The debate preceding the motion to approve the report saw heated exchanges between MPs in the government coalition and the opposition socialists. The three socialist MPs that were part of the ad hoc committee signed a dissenting opinion to the report, criticising it for failing to “clearly and categorically” assign fault for the failures that led to the data breach to the senior leadership of the Finance Ministry and National Revenue Agency.
Roumen Gechev, the socialist MP who served as deputy head of the ad hoc committee said that “no one was held accountable”, including the head of the revenue agency, who decided not to interrupt her holiday when the data breach became public.
This prompted replies that the senior IT officials at the agency had been sacked and that the matter of guilt should be left for the courts to decide.