Datatilsynet (Denmark) - 2022-63-0003

From GDPRhub
Revision as of 08:12, 3 August 2022 by Derhagen (talk | contribs) (Derhagen moved page Datatilsynet (Denmark) - 14-07-2022 to Datatilsynet (Denmark) - 2022-63-0003: Add case number)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - 2022-63-0003
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(f) GDPR
Article 9 GDPR
Article 24 GDPR
Article 32 GDPR
Article 83(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 14.07.2022
Fine: 500,000 DKK
Parties: n/a
National Case Number/Name: 2022-63-0003
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (Denmark) (in DA)
Initial Contributor: derhagen

The Danish DPA suggested issuing a fine of approximately €67,000 (DKK 500,000) against a law firm for its insufficient security safeguards that rendered their IT systems vulnerable to a hacker attack.

English Summary

Facts

A law firm was exposed to a hacker attack. Thereby, hackers received access to the firm's servers that contained personal data and encrypted them. This posed a serious risk that the personal data was accessed by unauthorized persons, with a potential for harm to the data subjects. In March 2020, the law firm notified the Danish DPA of the data breach.

Holding

The Danish DPA held that the law firm lacked basic security measures, especially considering the fact that its processing involved special categories of personal data. The DPA emphasized that in such cases a data breach would almost certainly entail a high risk to the data subjects' rights. Therefore, the controller must have especially strict security measures in place to avoid unauthorised accesses. Hence, when creating remote access to such IT systems, the controller could, for instance, implement multifactor authentication. Consequently, the DPA reported the firm to the police. The DPA assessed the appropriate sanctions in accordance with Article 83(2) GDPR and suggested a fine of approximately €67,000 (DKK 500,000).

Comment

The DPA in Denmark does not impose fines directly but refers such cases to the police. The police then investigate whether there are grounds for raising a charge, and finally, a possible fine will be decided by a court. This is provided for in Recital 151 GDPR.

Further Resources

The case numbers are: 2020-441-5294 and 2022-63-0003.

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

SIRIUS lawyers are fined

Particularly protected personal data was compromised when SIRIUS lawyers were subjected to a hacker attack. Due to lack of security measures, the Danish Data Protection Agency has reported the company to the police and recommended a fine of DKK 500,000.

SIRIUS lawyers have been fined DKK 500,000 for not implementing very basic security measures when setting up remote access to the company's IT systems with personal data of a particularly protected nature.

In March 2020, SIRIUS lawyers reported a breach of personal data security to the Danish Data Protection Agency, after they were subjected to a hacker attack. During the attack, hackers gained access to and encrypted the law firm's servers, which contained information about the company's clients and counterparts. This created a serious risk that the information about the persons came into the hands of unauthorized persons with potential damage to the persons in question as a result.
Lack of basic safety precautions

“Law firms naturally process a lot of information that requires special protection. In this case, SIRIUS lawyers have lacked basic security measures, and this unfortunately meant that i.a. clients' information was compromised. You can not protect yourself 100% against hacker attacks, but the rules in the GDPR require that you make an effort to avoid what is equivalent to the risk, "says Betty Husted, clerk in the Danish Data Protection Agency.

In systems with a large number of personal data of a particularly protected nature, where compromise will involve a high risk to the data subjects' rights, the data controller must have specially qualified security measures to ensure that unauthorized access to personal data does not occur.

Thus, when creating remote access to such IT systems, one must have implemented verification measures, such as. multifactor login.
Why police report?

The Danish Data Protection Agency always makes a concrete assessment of the seriousness of the case pursuant to Article 83 (1) of the Data Protection Regulation. 2, in assessing which sanction is, in the opinion of the Authority, the correct one.

In assessing that a fine should be imposed, the Danish Data Protection Agency has emphasized that SIRIUS lawyers had not implemented the security measures that are at least expected when using remote access to systems that, if compromised, would involve a high risk for the data subjects' rights.

In its recommendation on the size of the fine, the Danish Data Protection Agency has, among other things, emphasized the nature and seriousness of the infringement and the regulation's requirement that a fine in each individual case must be effective, proportionate to the infringement and have a deterrent effect.

Furthermore, it has been concluded, among other things, that SIRIUS lawyers were in the process of implementing a multifactor authentication solution at the time of the breach. At the same time, the Danish Data Protection Agency has emphasized that SIRIUS lawyers have acted extremely cooperatively in relation to the information in the case.