Datatilsynet (Norway) - 20/03500

From GDPRhub
Revision as of 07:47, 16 February 2022 by Gr (talk | contribs) (→‎Comment: added update)
Datatilsynet (Norway) - 20/03500
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.01.2022
Published: 24.01.2022
Fine: 2,000,000 NOK
Parties: The Norwegian Parliament (Stortinget)
National Case Number/Name: 20/03500
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA published a draft decision setting out its intention to fine the Parliament about €196,400 (NOK 2,000,000) for a data breach where perpetrators got access to employees' email accounts and health-related data, enabled by the lack of two-factor authentication and organizational measures.

English Summary

Facts

In the fall of 2020, the Norwegian Parliament (Stortinget) had a personal data breach related to employees' email accounts, discovered after an employee had been contacted by their bank about an attempt of misuse of their payment card abroad. The Parliament discovered that the perpetrators had downloaded various data, including personal data information about their bank accounts, birth dates and health-related data.

The Parliament had not enabled two-factor authentication in their email system, despite having identified the lack of such as a "high risk" in their risk analysis of March 2020. They had also identified a lack of security culture, low competency and little focus on data protection as very high risks.

When the DPA reviewed the risk analysis in May 2021, two-factor authentication was still not fully implemented. In their notification of a decision, the DPA noted that the Parliament's administration, represented by the Secretary General, was grossly negligent.

Holding

The DPA found that the Parliament, despite having identified several risks, lacked sufficient technical and organizational measures, including two-factor authentication, thus breaching Article 32(1)(b) GDPR and Article 32(1)(d), cf. Article 5(1)(f) GDPR.

For this, the DPA intends to fine the Parliament about €196,400 (NOK 2 million). This is only a notification of a fine and the Parliament has three weeks to submit their views, after which the DPA will make their final decision.

Comment

Update 15/02/2022: the Norwegian DPA has received a response from Parliament with feedback on their decision. After the feedback has been reviewed, the DPA will make a final decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 THE PARLIAMENT
 PO Box 1700 Center
                                                                Exempt from public:
 0026 OSLO Offl. § 13 cf. Popplyl. § 24 (1) 2.

                                                                pkt.






 Their reference Our reference Date
                         20 / 03500-8 13.01.2022



Notification of decision on infringement fine


1 Introduction
The Norwegian Data Protection Authority refers to the submitted notification of 6 September 2020 of a breach

personal data security, as well as the Storting's response to the report of 8 December 2020.

We also refer to other correspondence and documentation that has been made available to us

which can be linked to the relevant notification of a breach of personal data security. It
the overall documentation forms the basis for this notification of decision. It is attacked in 2020
which is the basis for the decision. The events of March 2021 are of a different nature, and will not
have significance for this decision.


In the following, Multi Factor Authentication (MFA), two-factor authentication and strong
authentication means the same thing. In the following, these will be referred to under the collective term

«Two-factor authentication».

2. Notification of decision on infringement fee

This is a notification pursuant to the Public Administration Act § 16 that the Norwegian Data Protection Authority is considering the following
decision on infringement fine:


    Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance
     Article 58 (2) (i), cf. Article 83, a violation fee of two shall be imposed on the Storting.

     million - 2,000,000 - kroner to the Treasury for not having carried out suitable technical
     and organizational measures, including two-factor authentication, to achieve a level of security
     which is suitable in terms of the risk of achieving lasting confidentiality, integrity
     and robustness, cf. the Privacy Ordinance Article 32 No. 1 letter b) and d), cf. Article 5

     No. 1 letter f).

The background and reasons for the decision follow below.





Postal address: Office address: Telephone: Org.nr: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO3. The case
On 2 September 2020, the Storting was informed that it had been exposed to a data breach
(unauthorized login) linked to the email accounts of an unknown number of parliamentary representatives and
employees in the administration and the group secretariats. It was one of the employees who gave notice
the administration after the person in question had been contacted by his bank for an attempt

misuse of payment cards abroad.

Subsequent investigations revealed that attackers had downloaded different amounts of data and that
this data could contain personal data originating from the employees concerned
email account. It was in the deviation report to the Data Inspectorate and subsequent additional report
informed that this included bank and account information, incl.
personal information about third parties, birth number and health information.


Possible consequences for those affected by the attack may be abuse of identity, abuse of
payment cards and use of information for extortion.

The Storting's administration later became aware that personal information from 13 email accounts
could be lost. Those affected were informed and followed up to limit damage. People
which were mentioned in the emails of the affected (third parties) were notified.


As a result of the incident, the Storting implemented a number of risk-reducing and preventive measures
measures. Among other things, new password requirements were introduced, the scope of security logging became
expanded and mobile device guidelines were updated. Work was also started on
introduce two-factor authentication. In addition, training measures were implemented by employees to increase
raising awareness of information security.


The Storting has close contact with relevant security authorities in this matter. The relationship is
reported to the police and PST is investigating the case.

4. Relevant legal rules and guidance on two-factor authentication as a security measure

The discrepancies concern breaches of confidentiality, integrity and robustness. In the Privacy Ordinance
Article 32 states:

«Taking into account the technical development, the implementation costs and the nature of the treatment,
the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and
severity of the rights and freedoms of natural persons, the person responsible for treatment and
the data processor implement appropriate technical and organizational measures to achieve a level of security
which is suitable in terms of risk, including, inter alia, as appropriate,

     a) pseudonymisation and encryption of personal data,
     b) ability to ensure lasting confidentiality, integrity, availability and robustness in
        treatment systems and services,
     c) ability to restore the availability and access to personal information in a timely manner if any
        a physical or technical event occurs,
     d) a process for regular testing, analysis and assessment of how effective the treatment is
        technical and organizational security measures are. "





                                                                                                2In the Privacy Ordinance Article 5 No. 1 letter f) it is stated that personal data
«Shall be processed in a manner that ensures adequate security of personal data,
including protection against unauthorized or unlawful treatment and against unintentional loss, destruction or
damage, through the use of appropriate technical or organizational measures («integrity and
confidentiality »)».


Article 32 requires that a specific assessment of the risk to the physical be carried out
rights and freedoms of persons, in relation to the degree of probability and seriousness.
The mapping must be linked to the relevant business and their treatment of
personal information.

Furthermore, the provision stipulates that suitable technical and
organizational measures to achieve an appropriate level of information security related to closer

areas referred to in Article 32 (1) (a) to (d). This must be considered a duty to deal with
and reduce the risks identified in the survey through the introduction of measures. These can
either be technical measures in the form of physical security such as
authentication solutions, or organizational measures in the form of, for example, routines and
training of personnel.

In the Data Inspectorate's assessment of what must be regarded as suitable measures, a company's own

assessment of risk and necessary measures are given great weight.

As the person responsible for processing, the Storting's administration undertakes to familiarize itself with
regulations in the field of privacy, including the requirements for conducting risk assessments and
implement necessary measures to achieve a satisfactory level of safety. This follows from
Article 5 (2) of the Privacy Regulation.


We assume that there may be alternative measures to ensure sufficient and effective
security level. The introduction of two-factor authentication is an example of security measures that are
recognized as efficient and easily accessible. In this connection, we refer to both the Danish Data Protection Agency
and the National Security Authority (NSM) on their websites have published supplementary
information on why and when two-factor authentication should or should be introduced.


On NSM's website, clear recommendations have been given on the use of two-factor authentication
creation of i.a. email account. NSM also recommends requirements for unique passwords per service.

On the Data Inspectorate's website, we provide information on strong authentication as a security measure. It's called
here:

        Many services are based only on something you know in the form of a username and password.

        Very many also use the same password on several different services. Something that makes you
        who use even more prone to others logging in as you on various services.

        Often a service will make demands on the complexity of the password such as requirements
        minimum length, requirement to use numbers, lowercase and uppercase letters, and possibly




                                                                                                 3 special characters. This may reduce the ability to guess passwords, but users have one
        tend to use the same type of pattern. Summer 2017 is a type of password that many
        unfortunately user. It is also common for users to reuse the same password
        more services.

        If the password should go astray, it does not matter where
        strong / complex password is. Unfortunately, there are many ways a password can get in the way

        weighs on. For example, leaks from other places where the user uses the same
        passwords, malware on the PC of users who pick up usernames and passwords,
        "Man in the middle" attacks and phishing attacks.

        Therefore, two-factor authentication is a much more secure solution. When using such authentication
        the consequences of usernames and passwords going astray will be far less.


        In Norway, we have seen examples of both political parties and schools experiencing that someone
        has acquired unauthorized access to systems due to lack of strong authentication.

        The Norwegian Data Protection Authority may impose the use of strong authentication if we consider that it is
        necessary to ensure safety.


The Norwegian Data Protection Authority does not rule out that other measures may lead to a similar level of security as
two-factor authentication.

5. The Data Inspectorate's assessment of the Storting's solution for authentication of users
The Storting had not introduced two-factor authentication for users of their e-mail systems

the time of the security breach in September 2020. In the latest version of the ROS analysis
related to authentication that was completed in March 2020, there was a lack of two-factor authentication
identified as "high risk" for unauthorized access.

The Storting's report of 8 December 2020 states that there is ongoing work to
introduce two-factor authentication for users on all solutions where technically possible, including
also email.


We have also noted that a lack of safety culture was identified as a "high risk" for
unauthorized access to the Storting's systems in the ROS analysis in 2020. In the ROS analysis
concluding summary, it appears that it is perceived as challenging that different
user groups are not subject to instruction authority from the Storting's administration.
Lack of security culture, low competence and little focus on privacy are considered as one
very high risk.


In our view, the description in the ROS analysis reveals vulnerabilities that could have been
compensated by organizational measures, as required by Article 32. Examples of such measures are
mapping of employees' knowledge of information security and privacy, and targeted
training of employees.






                                                                                               4As organizational measures, guidelines and routines for using the company's email account
could be effective and necessary to reduce the risk posed by human factors.
These should be part of the management system for privacy and information security, which is
decided by the management of the business.

The Norwegian Data Protection Authority is serious about the fact that no technical measures have been implemented by the Storting
which could have prevented the violation, e.g. through the use of two-factor authentication.

Missing or deficient security measures increase the likelihood of security breaches.
The consequences can be very serious for the companies and their employees who are affected
events like this.

Attacks via employees' emails are considered a well-known and real attack vector by
data security breach. Access to email accounts is a known method of accessing additional
systems in a business.


Secure authentication is considered a simple and essential security measure to reduce the risk
for such attacks.

In this case, the intruders have gained access to a number of the Storting's e-mail accounts due to
lack of security measures. The Storting had previously carried out a risk assessment which
concluded that two-factor authentication should be introduced. However, this has taken

disproportionately long time.

When the Data Inspectorate's reading of the ROS analysis in May 2021, the introduction of
two-factor authentication completed. The Storting's lack of introduction of those security measures
which the Storting itself has considered necessary in this area, has made the service become
being less robust and vulnerable to attack. The Data Inspectorate believes it is clear that if

necessary technical and organizational security measures had been implemented in the past
time, the Storting's infrastructure would have been more robust, and the attack could have been
avoided.

Lack of introduction of appropriate measures to deal with an identified vulnerability, in this case
change of the authentication solution, in addition to deficient organizational measures, is considered to
constitute a breach of Article 32 (1) (b) and (d) of the Privacy Regulation. They mentioned

the provisions require the data controller to establish an appropriate level of safety
to ensure lasting confidentiality, integrity, availability and robustness of the services.

6. The Privacy Regulation's rules on infringement fines
The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public

authorities and bodies infringement fines under the rules of the Privacy Regulation Article
58, cf. Article 83 (1) and (2).

The right to impose infringement fines shall be a tool to ensure effective
compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as
punishment under Article 6 of the European Convention on Human Rights.





                                                                                                 5Datatilsynet therefore assumes that a clear preponderance of probabilities is required
offense in order to impose a fee. The case and the question of imposing
infringement fines are assessed on the basis of this evidentiary requirement.

In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.
By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual

decision, which is considered a punishment under the European Convention on Human Rights
(EMK).

It is directly stated in the wording of the Penal Code § 27 that there is an objective criminal liability for
companies. In a judgment of 5 April 2021 (HR-2021-797-A), the Supreme Court has ruled that objectively
liability for corporate punishment is not compatible with the concept of punishment in the European
Convention on Human Rights, as interpreted by the European Court of Human Rights.


In a letter dated 2 June 2021, the Ministry of Local Government and Modernization has sent to the Ministry of Justice and
the Ministry of Emergency Management's briefing of 12 May 2021 on the significance of this
the Supreme Court ruling for administrative sanctions. The Ministry of Justice and Emergency Preparedness states
following:


        «Pending the report on corporate penalties and any proposals for legislative amendments,
        we recommend that the ministries inform their underlying agencies about the Supreme Court
        decision, and that this for the time being is also used as a basis for imposing
        infringement charge against companies. This means that by the imposition of
        infringement fines against companies are required that the person who has acted on behalf of
        the company has shown general negligence. "


Article 83 provides in principle that the imposition of infringement fines depends on a
discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting
moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure
that the imposition of infringement fines in each individual case is effective is stated in a reasonable
relation to the violation and acts as a deterrent.


7. The Data Inspectorate's assessment of whether an infringement fee should be imposed
In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following
moments:

a) the nature, severity and duration of the infringement, taking into account

    the nature, extent or purpose of the act concerned or the number of data subjects affected,
    and the extent of the damage they have suffered
Violations of personal data security include breaches of confidentiality, integrity and
robustness. In this case, it must be specifically assumed that the elected representatives and the employees know
The Storting has a clear and worthy of protection interest in having information about them processed

in a safe way.





                                                                                               6Authorized access to the Storting's systems can have serious consequences for the individual and
for other people's personal information that the mailboxes potentially contain. The event may have
entails that the surroundings have access to information that the registered person (s) have not themselves chosen to
make known, and it is unknown to what extent this information may have been disseminated.

The breach of personal data security has meant that the representatives have lost control
over the personal information contained in their email accounts. As a consequence of

Inadequate security measures, there will be a probability that the elected representatives may be exposed
for blackmail. The incident may also result in unreliable information being sent from fraudulent actors
based on the elected representatives' email accounts.

We would also like to emphasize that we consider that this breach may have entailed a potential risk of greater
attacks on the Storting as an institution, with the email system as the attack vector.


General preventive reasons and the consideration that the rules should have effect and work as intended
speaks then with force for a strict reaction, and for the imposition of an infringement fine.

b) whether the infringement was committed intentionally or negligently

The case shows that there has been a failure in the Storting's administration to take care of
the principle of liability that follows from the Privacy Ordinance, Article 5, no. 2. The Norwegian Data Protection Authority
finds that the Storting's administration, through the Storting's director, has acted with gross negligence, cf.
HR-2021-797-A, cf. also the Privacy Ordinance Article 5 No. 2, for not having implemented
a solution for two-factor authentication when creating an email account for the elected representatives. The effect
of secure authentication as a measure must be considered to be well known, compared with that of the Storting
even had identified the high risk the lack of such a measure posed. Furthermore, we find

it is reprehensible that the Storting did not follow up on the known vulnerability either
organizational measures which to a certain extent could have remedied the technical deficiencies.

c) any measures taken by the data controller or data processor to
    limit the damage suffered by the data subjects

After the attack, new password requirements were introduced, the scope of which was expanded
security logging, updated guidelines for mobile devices and started work on
introduction of two-factor authentication. In addition, training measures were implemented by employees to
raise awareness of information security.


d) the degree of responsibility of the data controller or data processor, taking into account
    to the technical and organizational measures they have implemented in accordance with Article 25 and
    32
The Storting's administration took a significant risk as it did not create email accounts

two-factor authentication was introduced; and has a responsibility that this was not done. That this was not
done at the time of the second attack is an aggravating circumstance.

e) any relevant previous violations committed by the data controller or
    the data processor

There are no previous violations from the Storting's administration.



                                                                                                7f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
    possible negative effects of it
There has been no cooperation between the Norwegian Data Protection Authority and the Storting's administration to remedy
on the damage.


g) the categories of personal data affected by the infringement
Subsequent investigations revealed that the attackers had downloaded various amounts of data, including
this included bank and account information, birth number, health information and

personal information about third parties. This is stated in the submitted notification of 6 September 2020.
It is an aggravating circumstance that health information has gone astray.

h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
    possibly to what extent the data controller or data processor has
    notified of the infringement

The Storting notified the Norwegian Data Protection Authority of the breach of personal data security by notifying 6.
September 2020. The Storting has further answered our requests for further information,
as well as facilitated to give the Data Inspectorate access to relevant documentation in connection with our
investigation of the case.

(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned

    data controller or data processor with respect to the same subject matter, that
    the said measures are complied with
No measures have been taken before the Storting with regard to the same subject matter.


(j) compliance with approved standards of conduct in accordance with Article 40 or approved
    certification mechanisms in accordance with Article 42
This is not relevant to the case.

k) any other aggravating or mitigating factor in the case, e.g. economic benefits

    which have been obtained, or losses which have been avoided, directly or indirectly, as a result of
    the infringement
The Norwegian Data Protection Authority assumes that the Storting must be regarded as an attractive target for computer attacks, and that
based on a risk assessment, a significantly stricter safety regime should have been added

superficial. The ROS analysis describes various measures in the summary section, among others
compulsory training in information security and documentation of completed training,
as well as clarification of sanction options for own employees and agreements with party groups
to be able to impose the same sanctions there.

In an aggravating direction, it is assumed that a solution with two-factor authentication was not
implemented in the solution, despite the fact that this must be considered a known and effective

safety measures. The Storting itself had identified a lack of authentication as a vulnerability.






                                                                                               88. Overall assessment
In the Data Inspectorate's assessment, the case is important in principle. The Data Inspectorate considers it difficult
serious that the Storting's administration has shown an inability to implement necessary
security measures that the administration itself has identified the need for in the mapping of
the risk of processing personal data. We emphasize that the Privacy Regulation

requires that the results of such surveys be followed up with appropriate measures, and that
is precisely this which is the purpose of conducting risk assessments, cf.
the Privacy Ordinance Article 32 No. 1 letter b. The incident that triggered the message to
The Norwegian Data Protection Authority and which forms the basis for this notification could and should have been avoided
if the Storting had implemented measures to remedy the vulnerabilities that were made known
through the risk assessment.


We assume that the Storting's administration has a vested interest in establishing the Storting
computer systems in line with recommendations from national professional authorities. It's the administration
who is responsible for the operation of these systems, and the responsibility for implementing them
the safety measures necessary to make the systems robust, in accordance with the law
requirements, cf. the Privacy Ordinance Article 5 No. 2, cf. Article 5 No. 1 letter f, cf. also Article
32 No. 1 letter b.


Following an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that the Storting should be given one
infringement fine.

9. The size of the fee
In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that


        «As a starting point, the same rules for infringement fines shall apply
        public bodies as for private, as this is the scheme under current
        Personal Data Act. »

With regard to the size of the fee, the same factors shall apply as when assessing whether the fee
shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond

the specific case, at the same time as the size of the fee must be in a reasonable proportion to
the violation and the activity, cf. art. 83 No. 1.

After an overall assessment of the circumstances of the case, and in particular with regard to the seriousness of
the infringement and the legislation's requirement that the imposition of infringement fines in each individual case
should be effective, proportionate and dissuasive, we have come to that one
violation fee of two million - 2,000,000 - kroner is considered correct.


10. Concluding remarks
We point out that this is a prior notice, and not a final decision, cf. § 16.
If you have comments on this notice, we ask that these be sent to us within three weeks
after this letter is received. Deadline for feedback is February 14, 2022.







                                                                                                911. Transparency and publicity
You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform
that all the documents are in principle public, cf. the Public Access to Information Act § 3, but
emphasizes at the same time that safety documentation is as a general rule exempt from public access, cf.
the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.


If you have any questions, you can contact caseworker Knut B. Kaspersen.


With best regards



Bjørn Erik Thon
director
                                                                 Knut Brede Kaspersen
                                                                 legal director


The document is electronically approved and therefore has no handwritten signature.



































                                                                                            10