Datatilsynet (Denmark) - 2022-63-0003

From GDPRhub
Revision as of 13:07, 19 July 2022 by Derhagen (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=DK-SIRIUS-...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - DK-SIRIUS-advokater
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(f) GDPR
Article 9 GDPR
Article 24 GDPR
Article 32 GDPR
Article 83(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 14.07.2022
Fine: 500,000 DKK
Parties: SIRIUS advokater
National Case Number/Name: DK-SIRIUS-advokater
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (Denmark) (in DA)
Initial Contributor: derhagen

The Danish DPA fined the law firm "SIRIUS advokater" approx. €67,000 (DKK 500,000) after a data breach through ransomware. The law firm's systems lacked basic security measures.

English Summary

Facts

The lawyer firm "SIRIUS advokater" was affected by a data breach through a ransomware attack. Thereby, hackers received access to the firm's servers and encrypted them. This posed a serious risk that personal data was accessible by unauthorized entities, with potential for damage for the affected persons. In March 2020, SIRIUS advokater notified the Danish DPA about a breach of personal data.

Holding

According to Betty Husted from the Danish DPA, law firms process special categories of personal data by nature. She notes that in this case, SIRIUS advokater lacked basic security measures. The DPA assessed the appropriate sanctions in accordance with Article 83(2) GDPR and issued a fine of approx. €67,000 (DKK 500,000). The DPA emphasized that in systems with a high volume of special categories of personal data, where a data breach implies a high risk for the data subjects' rights, the data controller must have qualified security measures in place, to avoid unauthorized access to personal data. Furthermore, the DPA reported the firm to the police.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

SIRIUS lawyers are fined

Particularly protected personal data was compromised when SIRIUS lawyers were subjected to a hacker attack. Due to lack of security measures, the Danish Data Protection Agency has reported the company to the police and recommended a fine of DKK 500,000.

SIRIUS lawyers have been fined DKK 500,000 for not implementing very basic security measures when setting up remote access to the company's IT systems with personal data of a particularly protected nature.

In March 2020, SIRIUS lawyers reported a breach of personal data security to the Danish Data Protection Agency, after they were subjected to a hacker attack. During the attack, hackers gained access to and encrypted the law firm's servers, which contained information about the company's clients and counterparts. This created a serious risk that the information about the persons came into the hands of unauthorized persons with potential damage to the persons in question as a result.
Lack of basic safety precautions

“Law firms naturally process a lot of information that requires special protection. In this case, SIRIUS lawyers have lacked basic security measures, and this unfortunately meant that i.a. clients' information was compromised. You can not protect yourself 100% against hacker attacks, but the rules in the GDPR require that you make an effort to avoid what is equivalent to the risk, "says Betty Husted, clerk in the Danish Data Protection Agency.

In systems with a large number of personal data of a particularly protected nature, where compromise will involve a high risk to the data subjects' rights, the data controller must have specially qualified security measures to ensure that unauthorized access to personal data does not occur.

Thus, when creating remote access to such IT systems, one must have implemented verification measures, such as. multifactor login.
Why police report?

The Danish Data Protection Agency always makes a concrete assessment of the seriousness of the case pursuant to Article 83 (1) of the Data Protection Regulation. 2, in assessing which sanction is, in the opinion of the Authority, the correct one.

In assessing that a fine should be imposed, the Danish Data Protection Agency has emphasized that SIRIUS lawyers had not implemented the security measures that are at least expected when using remote access to systems that, if compromised, would involve a high risk for the data subjects' rights.

In its recommendation on the size of the fine, the Danish Data Protection Agency has, among other things, emphasized the nature and seriousness of the infringement and the regulation's requirement that a fine in each individual case must be effective, proportionate to the infringement and have a deterrent effect.

Furthermore, it has been concluded, among other things, that SIRIUS lawyers were in the process of implementing a multifactor authentication solution at the time of the breach. At the same time, the Danish Data Protection Agency has emphasized that SIRIUS lawyers have acted extremely cooperatively in relation to the information in the case.