Datatilsynet (Denmark) - 2022-63-0003: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=DK-SIRIUS-...") |
No edit summary |
||
Line 69: | Line 69: | ||
}} | }} | ||
The Danish DPA fined the law firm "SIRIUS advokater" | The Danish DPA fined the law firm "SIRIUS advokater" approximately €67,000 (DKK 500,000) for its insufficient security safeguards that enabled a data breach through ransomware. | ||
== English Summary == | == English Summary == | ||
Line 77: | Line 77: | ||
=== Holding === | === Holding === | ||
The Danish DPA considered that law firms process special categories of personal data by nature. In this case, SIRIUS advokater lacked basic security measures. The DPA assessed the appropriate sanctions in accordance with [[Article 83 GDPR#2|Article 83(2) GDPR]] and issued a fine of approx. €67,000 (DKK 500,000). The DPA emphasized that in systems with a high volume of special categories of personal data, where a data breach implies a high risk for the data subjects' rights, the data controller must have qualified security measures in place, to avoid unauthorized access to personal data. | |||
Furthermore, the DPA reported the firm to the police. | Furthermore, the DPA reported the firm to the police. | ||
Revision as of 17:11, 19 July 2022
Datatilsynet - DK-SIRIUS-advokater | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 5(1)(f) GDPR Article 9 GDPR Article 24 GDPR Article 32 GDPR Article 83(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 14.07.2022 |
Fine: | 500,000 DKK |
Parties: | SIRIUS advokater |
National Case Number/Name: | DK-SIRIUS-advokater |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Datatilsynet (Denmark) (in DA) |
Initial Contributor: | derhagen |
The Danish DPA fined the law firm "SIRIUS advokater" approximately €67,000 (DKK 500,000) for its insufficient security safeguards that enabled a data breach through ransomware.
English Summary
Facts
The lawyer firm "SIRIUS advokater" was affected by a data breach through a ransomware attack. Thereby, hackers received access to the firm's servers and encrypted them. This posed a serious risk that personal data was accessible by unauthorized entities, with potential for damage for the affected persons. In March 2020, SIRIUS advokater notified the Danish DPA about a breach of personal data.
Holding
The Danish DPA considered that law firms process special categories of personal data by nature. In this case, SIRIUS advokater lacked basic security measures. The DPA assessed the appropriate sanctions in accordance with Article 83(2) GDPR and issued a fine of approx. €67,000 (DKK 500,000). The DPA emphasized that in systems with a high volume of special categories of personal data, where a data breach implies a high risk for the data subjects' rights, the data controller must have qualified security measures in place, to avoid unauthorized access to personal data. Furthermore, the DPA reported the firm to the police.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
SIRIUS lawyers are fined Particularly protected personal data was compromised when SIRIUS lawyers were subjected to a hacker attack. Due to lack of security measures, the Danish Data Protection Agency has reported the company to the police and recommended a fine of DKK 500,000. SIRIUS lawyers have been fined DKK 500,000 for not implementing very basic security measures when setting up remote access to the company's IT systems with personal data of a particularly protected nature. In March 2020, SIRIUS lawyers reported a breach of personal data security to the Danish Data Protection Agency, after they were subjected to a hacker attack. During the attack, hackers gained access to and encrypted the law firm's servers, which contained information about the company's clients and counterparts. This created a serious risk that the information about the persons came into the hands of unauthorized persons with potential damage to the persons in question as a result. Lack of basic safety precautions “Law firms naturally process a lot of information that requires special protection. In this case, SIRIUS lawyers have lacked basic security measures, and this unfortunately meant that i.a. clients' information was compromised. You can not protect yourself 100% against hacker attacks, but the rules in the GDPR require that you make an effort to avoid what is equivalent to the risk, "says Betty Husted, clerk in the Danish Data Protection Agency. In systems with a large number of personal data of a particularly protected nature, where compromise will involve a high risk to the data subjects' rights, the data controller must have specially qualified security measures to ensure that unauthorized access to personal data does not occur. Thus, when creating remote access to such IT systems, one must have implemented verification measures, such as. multifactor login. Why police report? The Danish Data Protection Agency always makes a concrete assessment of the seriousness of the case pursuant to Article 83 (1) of the Data Protection Regulation. 2, in assessing which sanction is, in the opinion of the Authority, the correct one. In assessing that a fine should be imposed, the Danish Data Protection Agency has emphasized that SIRIUS lawyers had not implemented the security measures that are at least expected when using remote access to systems that, if compromised, would involve a high risk for the data subjects' rights. In its recommendation on the size of the fine, the Danish Data Protection Agency has, among other things, emphasized the nature and seriousness of the infringement and the regulation's requirement that a fine in each individual case must be effective, proportionate to the infringement and have a deterrent effect. Furthermore, it has been concluded, among other things, that SIRIUS lawyers were in the process of implementing a multifactor authentication solution at the time of the breach. At the same time, the Danish Data Protection Agency has emphasized that SIRIUS lawyers have acted extremely cooperatively in relation to the information in the case.