Datatilsynet (Norway) - 20/03500

From GDPRhub
Datatilsynet (Norway) - 20/03500
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.01.2022
Published: 24.01.2022
Fine: 2,000,000 NOK
Parties: The Norwegian Parliament (Stortinget)
National Case Number/Name: 20/03500
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fine the Parliament about €196,400 (NOK 2,000,000) for a data breach where perpetrators got access to employees' email accounts and health-related data, enabled by the lack of two-factor authentication and organizational measures.

English Summary

Facts

In the fall of 2020, the Norwegian Parliament (Stortinget) had a personal data breach related to employees' email accounts, discovered after an employee had been contacted by their bank about an attempt of misuse of their payment card abroad. The Parliament discovered that the perpetrators had downloaded various data, including personal data information about their bank accounts, birth dates and health-related data.

The Parliament had not enabled two-factor authentication in their email system, despite having identified the lack of such as a "high risk" in their risk analysis of March 2020. They had also identified a lack of security culture, low competency and little focus on data protection as very high risks.

When the DPA reviewed the risk analysis in May 2021, two-factor authentication was still not fully implemented. In their notification of a decision, the DPA noted that the Parliament's administration, represented by the Secretary General, was grossly negligent.

Holding

The DPA found that the Parliament, despite having identified several risks, lacked sufficient technical and organizational measures, including two-factor authentication, thus breaching Article 32(1)(b) GDPR and Article 32(1)(d), cf. Article 5(1)(f) GDPR.

For this, the DPA fined the Parliament about €196,400 (NOK 2 million).

Comment

Share comments here!

Further Resources

On 15 February 2022:the Norwegian DPA received a response from the Parliament (in Norwegian) with feedback on their decision.

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 THE PARLIAMENT
 PO Box 1700 Center
 0026 OSLO









Their reference Our reference Date
                        20 / 03500-10 04.03.2022



Decision on violation fee - Notification of deviation - The Storting

1 Introduction

The Data Inspectorate refers to the submitted notification of 6 September 2020 of a breach
personal data security, notification of infringement fee of 13 January 2022 and
The Storting's response of 14 February 2022.


We also refer to other correspondence and documentation that has been made available to us
which can be linked to the relevant notification of a breach of personal data security. It

the overall documentation forms the basis for the decision. It is the attack in 2020 that lies ahead
reason for the decision. The events of March 2021 are of a different nature, and will not matter
for this decision.


In the following, Multi Factor Authentication (MFA), two-factor authentication and strong
authentication means the same thing. In the following, these will be referred to under the collective term
«Two-factor authentication».


2. The Data Inspectorate's comments on the Storting's response
    The Norwegian Data Protection Authority has noticed that the Storting acknowledges that IT security could have been better then
    the attack occurred.


    Secondly, the Storting's administration points out that the follow-up of ROS 2020 must be seen in the light of
    that the Storting's administration in the spring of 2020 was strongly affected by the pandemic and
    the shutdown that hit the country in early March 2020, and the subsequent one

    holiday settlement. It is also pointed out that the representatives of the Storting and the employees in
    the party groups were not subject to instruction authority from the Storting's director, and that
    this made the further process time consuming.


    The Data Inspectorate cannot see that these are factors that have a significant effect on whether or not
    violation fee must be given and the amount of this.




Postal address: Office address: Telephone: Org.nr: Homepage:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, 3. Decision on infringement fine

    Based on the information in the case, the Data Inspectorate believes that the Storting has violated the rules on
    personal data security in the Privacy Ordinance:

    Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance

     Article 58 (2) (i), cf. Article 83, a violation fee of two shall be imposed on the Storting.
     million - 2,000,000 - kroner to the Treasury for not having carried out suitable technical
     and organizational measures, including two-factor authentication, to achieve a level of security
     which is suitable in terms of the risk of achieving lasting confidentiality, integrity
     and robustness, cf. Article 32 (1) (b) and (d) of the Privacy Regulation, cf. Article 5
     No. 1 letter f).


The background and reasons for the decision follow below.


4. The case

On 2 September 2020, the Storting was informed that it had been exposed to a data breach
(unauthorized login) linked to the email accounts of an unknown number of parliamentary representatives and
employees in the administration and the group secretariats. It was one of the employees who notified
the administration after the person in question had been contacted by his bank for an attempt
misuse of payment cards abroad.

Subsequent investigations revealed that attackers had downloaded different amounts of data and that

this data could contain personal data originating from the employees concerned
email account. It was in the deviation report to the Data Inspectorate and subsequent additional report
informed that this included bank and account information, incl.
personal information about third parties, birth number and health information.

Possible consequences for those affected by the attack could be abuse of identity, abuse of
payment cards and use of information for extortion.


The Storting's administration later became aware that personal information from 13 email accounts
could be lost. Those affected were informed and followed up to limit damage. People
which were mentioned in the emails of the affected (third parties) were notified.

As a result of the incident, the Storting implemented a number of risk-reducing and preventive measures
measures. Among other things, new password requirements were introduced, the scope of security logging became

expanded and mobile guidelines were updated. Work was also started on
introduce two-factor authentication. In addition, training measures were implemented by employees to increase
raising awareness of information security.

The Storting has close contact with relevant security authorities in this matter. The relationship is
reported to the police and PST is investigating the case.






                                                                                                  2.5. Relevant legal rules and guidance on two-factor authentication as a security measure
The discrepancies concern breaches of confidentiality, integrity and robustness. In the Privacy Ordinance
Article 32 states:

«Taking into account the technical development, the implementation costs and the nature of the treatment,
the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and
severity of the rights and freedoms of natural persons, the data controller and

the data processor implement appropriate technical and organizational measures to achieve a level of security
which is suitable in terms of risk, including, inter alia, as appropriate,
     a) pseudonymisation and encryption of personal data,
     b) ability to ensure lasting confidentiality, integrity, availability and robustness in
        treatment systems and services,
     c) ability to restore the availability and access to personal information in a timely manner if necessary

        a physical or technical event occurs,
     d) a process for regular testing, analysis and assessment of how effective the treatment is
        technical and organizational security measures are. "

Article 5 (1) (f) of the Privacy Ordinance states that personal data
«Shall be processed in a manner that ensures adequate security of personal data,
including protection against unauthorized or illegal treatment and against accidental loss, destruction or

damage, through the use of appropriate technical or organizational measures («integrity and
confidentiality »)».

Article 32 requires that a specific assessment of the risk to the physical be carried out
persons' rights and freedoms, compared with probability and severity.
The survey must be linked to the relevant business and their treatment of

personal information.

Furthermore, the provision requires that suitable technical and
organizational measures to achieve an appropriate level of information security related to closer
areas referred to in Article 32 (1) (a) to (d). This must be considered a duty to deal with
and reduce the risks identified in the survey through the introduction of measures. These can
either be technical measures in the form of physical security such as

authentication solutions, or organizational measures in the form of, for example, routines and
training of personnel.

In the Data Inspectorate's assessment of what must be considered suitable measures, a company's own
assessment of risk and necessary measures are given great weight.

The Storting's administration, as the person responsible for processing, undertakes to familiarize itself with it

regulations in the field of privacy, including the requirements for conducting risk assessments and
implement necessary measures to achieve a satisfactory level of safety. This follows
Article 5 (2) of the Privacy Regulation.

We assume that there may be alternative measures to ensure sufficient and effective
security level. The introduction of two-factor authentication is an example of security measures that are




                                                                                                  3, recognized as efficient and easily accessible. In this connection, we refer to both the Danish Data Protection Agency
and the National Security Authority (NSM) on their websites have published supplementary
information on why and when two-factor authentication should or should be introduced.

On NSM's website, clear recommendations have been given on the use of two - factor authentication
creation of i.a. email account. NSM also recommends requirements for unique passwords per service.


On the Data Inspectorate's website, we provide information on strong authentication as a security measure. It's called
here:

        Many services are based only on something you know in the form of a username and password.
        Very many also use the same password on several different services. Something that makes you
        who use even more prone to others logging in like you on various services.


        Often a service will make demands on the complexity of the password such as requirements
        minimum length, requirements for the use of numbers, lowercase and uppercase letters, and possibly
        special characters. This may reduce the ability to guess passwords, but users have one
        tend to use the same type of pattern. Summer 2017 is a type of password that many
        unfortunately user. It is also common for users to reuse the same password
        more services.


        If the password should go astray, it does not matter where
        strong / complex password is. Unfortunately, there are many ways a password can get in the way
        weighs on. For example, leaks from other places where the user uses the same
        passwords, malware on the PC of users who pick up usernames and passwords,
        "Man in the middle" attacks and phishing attacks.


        Therefore, two-factor authentication is a much more secure solution. When using such authentication
        the consequences of usernames and passwords going astray will be far less.

        In Norway, we have seen examples of both political parties and schools having experienced that someone
        has acquired unauthorized access to systems due to lack of strong authentication.

        The Norwegian Data Protection Authority may impose the use of strong authentication if we consider that it is

        necessary to ensure safety.

The Norwegian Data Protection Authority does not rule out that other measures may lead to a similar level of security as
two-factor authentication.

6. The Data Inspectorate's assessment of the Storting's solution for authentication of users

The Storting had not introduced a sufficient solution for two-factor authentication for all users
of their email systems at the time of the security breach in September 2020. In the latter
the version of the ROS analysis related to authentication that was completed in March 2020, was
lack of two-factor authentication identified as "high risk" for unauthorized access.






                                                                                                 4, The Storting's report of 8 December 2020 states that there is ongoing work to
introduce two-factor authentication for users on all solutions where technically possible, including
also email.

We have also noted that a lack of safety culture was identified as a "high risk" for
unauthorized access to the Storting's systems in the ROS analysis in 2020. In the ROS analysis
concluding summary, it appears that it is perceived as challenging that different

user groups are not subject to instruction authority from the Storting's administration.
Lack of security culture, low competence and little focus on privacy are considered as one
very high risk.

In our view, the description in the ROS analysis reveals vulnerabilities that could have been
compensated by organizational measures, as required by Article 32. Examples of such measures are
mapping of employees' knowledge of information security and privacy, and targeted

training of employees.

As organizational measures, guidelines and routines for the use of the company's email account
could be effective and necessary to reduce the risk posed by human factors.
These should be part of the management system for privacy and information security, which is
decided by the management of the business.


The Data Inspectorate takes a serious view of the fact that no technical measures have been implemented by the Storting
which could have prevented the violation, e.g. through the use of two-factor authentication.
Missing or deficient security measures increase the likelihood of security breaches.
The consequences can be very serious for the companies and their employees who are affected
events like this.

Attacks via employees' emails are considered a well-known and real attack vector by

data security breach. Access to email accounts is a known method of accessing additional
systems in a business.

Secure authentication is considered a simple and essential security measure to reduce the risk
for such attacks.


In this case, the intruders have gained access to a number of the Storting's e-mail accounts due to
lack of security measures. The Storting had previously carried out a risk assessment which
concluded that two-factor authentication should be introduced. However, this has taken
disproportionately long time.

When the Data Inspectorate's reading of the ROS analysis in May 2021, the introduction of
two-factor authentication completed. The Storting's lack of introduction of those security measures

which the Storting itself has considered necessary in this area, has made the service become
being less robust and vulnerable to attack. The Data Inspectorate believes it is clear that if
necessary technical and organizational security measures had been implemented in the past
time, the Storting's infrastructure would have been more robust, and the attack could have been
avoided.




                                                                                                5, Lack of introduction of appropriate measures to deal with an identified vulnerability, in this case
change of the authentication solution, in addition to deficient organizational measures, is considered to
constitute a breach of Article 32 (1) (b) and (d) of the Privacy Regulation. They mentioned
the provisions require the data controller to establish an appropriate level of safety
to ensure lasting confidentiality, integrity, availability and robustness of the services.


7. The Privacy Regulation's rules on infringement fines
The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public
authorities and bodies infringement fines under the rules of the Privacy Regulation Article
58, cf. Article 83 (1) and (2).


The right to impose infringement fines shall be a tool to ensure effective
compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as
punishment under Article 6 of the European Convention on Human Rights.

The Norwegian Data Protection Authority therefore assumes that a clear probability preponderance is required for
offense in order to impose a fee. The case and the question of imposing
infringement fees are assessed on the basis of this evidentiary requirement.


In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.
By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual
decision, which is considered a punishment under the European Convention on Human Rights
(EMF).


It is directly stated in the wording of the Penal Code § 27 that there is an objective criminal liability for
enterprises. In a judgment of 5 April 2021 (HR-2021-797-A), the Supreme Court has ruled that objectively
liability for corporate punishment is not compatible with the concept of punishment in the European
Convention on Human Rights, as interpreted by the European Court of Human Rights.

In a letter dated 2 June 2021, the Ministry of Local Government and Modernization has sent to the Ministry of Justice and

the Ministry of Emergency Management's briefing of 12 May 2021 on the significance of this
the Supreme Court ruling for administrative sanctions. The Ministry of Justice and Emergency Preparedness states
following:

        «Pending the report on corporate penalties and any proposals for legislative amendments,
        we recommend that the ministries inform their underlying agencies about the Supreme Court

        decision, and that this for the time being is also used as a basis for imposing
        infringement charge against companies. This means that by the imposition of
        infringement fines against companies are required that the person who has acted on behalf of
        the company has shown general negligence. "

Article 83 provides in principle that the imposition of an infringement fine depends on a
discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting

moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure



                                                                                                6, that the imposition of infringement fines in each individual case is effective, is in a reasonable
relation to the violation and acts as a deterrent.

8. The Data Inspectorate's assessment of whether an infringement fee should be imposed
In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following
moments:


a) the nature, severity and duration of the infringement, taking into account
    the nature, extent or purpose of the action concerned and the number of data subjects affected,
    and the extent of the damage they have suffered

Violations of personal data security include breaches of confidentiality, integrity and
robustness. In this case, it must be concretely assumed that the elected representatives and the employees know
The Storting has a clear and worthy of protection interest in having information about them processed
in a safe way.

Unauthorized access to the Storting's systems can have serious consequences for the individual and
for other people's personal information that the mailboxes potentially contain. The event may have

entails that the environment has access to information that the registered person (s) have not themselves chosen to
make known, and it is unknown to what extent this information may have been disseminated.

The breach of personal data security has meant that the representatives have lost control
over the personal information contained in their email accounts. As a consequence of
Inadequate security measures, there will be a probability that the elected representatives may be exposed
for blackmail. The incident can also lead to unreliable information from fraudulent actors being sent

based on the elected representatives' email accounts.

We would also like to emphasize that we consider that this breach may have entailed a potential risk of greater
attacks on the Storting as an institution, with the email system as the attack vector.

General preventive reasons and the consideration that the rules should have effect and work as intended

then speaks with force for a strict reaction, and for the imposition of an infringement fine.

a) whether the violation was committed intentionally or negligently
The case shows that there has been a failure in the Storting's administration to take care of
the principle of liability that follows from the Privacy Ordinance, Article 5, no. 2. The Norwegian Data Protection Authority

finds that the Storting's administration, through the Storting's director, has acted with gross negligence, cf.
HR-2021-797-A, cf. also the Privacy Ordinance Article 5 No. 2, for not having implemented
a solution for two-factor authentication when creating an email account for the elected representatives. The effect
of secure authentication as a measure must be considered to be well known, compared with that of the Storting
even had identified the high risk the lack of such a measure posed. Furthermore, we find
it is reprehensible that the Storting did not follow up on the known vulnerability either
organizational measures that to a certain extent could have remedied the technical deficiencies.


b) any measures taken by the data controller or data processor to
    limit the damage suffered by the data subjects




                                                                                                 7, After the attack, new password requirements were introduced, extended scope of
security logging, updated mobile device policies and started work on
introduction of two-factor authentication. In addition, training measures were implemented by employees to
raise awareness of information security.

(c) the degree of responsibility of the controller or processor, taking into account
    to the technical and organizational measures they have implemented in accordance with Article 25 and

    32
The Storting's administration took a significant risk as it did not create email accounts
two-factor authentication was introduced; and has a responsibility that this was not done. That this was not
done at the time of the second attack is an aggravating circumstance.


d) any relevant previous violations committed by the data controller or
    the data processor
There are no previous violations from the Storting's administration.


e) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
    possible negative effects of it
There has been no cooperation between the Norwegian Data Protection Authority and the Storting's administration to remedy
on the damage.


f) the categories of personal data affected by the infringement
Subsequent investigations revealed that the attackers had downloaded various amounts of data, including
this included bank and account information, birth number, health information and
personal information about third parties. This is stated in the submitted notification of 6 September 2020.

It is an aggravating circumstance that health information has gone astray.

g) the manner in which the supervisory authority became aware of the infringement, in particular whether and
    possibly to what extent the data controller or data processor has
    notified of the infringement

The Storting notified the Norwegian Data Protection Authority of the breach of personal data security by notifying 6.
September 2020. The Storting has further answered our requests for further information,
as well as facilitated to give the Data Inspectorate access to relevant documentation in connection with our
investigation of the case.

(h) if the measures referred to in Article 58 (2) have previously been taken against the person concerned

    data controller or data processor with respect to the same subject matter, that
    the said measures are complied with
No measures have been taken before the Storting with regard to the same subject matter.

(i) compliance with approved standards of conduct in accordance with Article 40 or approved

    certification mechanisms in accordance with Article 42
This is not relevant to the case.





                                                                                               8, j) any other aggravating or mitigating factor in the case, e.g. economic benefits
    which have been obtained, or losses which have been avoided, directly or indirectly, as a result of
    the infringement
The Norwegian Data Protection Authority assumes that the Storting must be regarded as an attractive target for computer attacks, and that
based on a risk assessment, a significantly stricter safety regime should have been added

superficial. The ROS analysis describes various measures in the summary section, among others
compulsory training in information security and documentation of completed training,
as well as clarification of sanction options for own employees and agreements with party groups
to be able to impose the same sanctions there.

In an aggravating direction, it is assumed that a solution with two-factor authentication was not
implemented in the solution, despite the fact that this must be considered a known and effective

safety measures. The Storting had itself identified a lack of authentication as a vulnerability.


9. Overall assessment
In the Data Inspectorate's assessment, the matter is important in principle. The Data Inspectorate considers it difficult

serious that the Storting's administration has shown an inability to implement necessary
security measures that the administration itself has identified the need for in the mapping of
the risk of processing personal data. We emphasize that the Privacy Regulation
requires that the results of such surveys be followed up with appropriate measures, and that
is precisely this which is the purpose of conducting risk assessments, cf.
the Privacy Ordinance Article 32 No. 1 letter b. The incident that triggered the message to
The Norwegian Data Protection Authority and which forms the basis for the decision, could and should have been avoided if

The Storting had implemented measures to remedy the vulnerabilities that were made known through
the risk assessment.

We assume that the Storting's administration has a vested interest in establishing the Storting
computer systems in line with recommendations from national professional authorities. It's the administration
who is responsible for the operation of these systems, and the responsibility for implementing them

the safety measures necessary to make the systems robust, in accordance with the law
requirements, cf. the Privacy Ordinance Article 5 No. 2, cf. Article 5 No. 1 letter f, cf. also Article
32 No. 1 letter b.

Following an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that the Storting should be given one
infringement fine.


10. The size of the fee
In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that

        «As a starting point, the same rules for infringement fines shall apply
        public bodies as for private, as this is the scheme under current

        Personal Data Act. »






                                                                                                9, With regard to the amount of the fee, the same factors as when assessing whether the fee
shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond
the specific case, at the same time as the size of the fee must be in a reasonable proportion to
the violation and the activity, cf. art. 83 No. 1.

After an overall assessment of the circumstances of the case, and in particular with regard to the seriousness of
the infringement and the legislation's requirement that the imposition of infringement fines in each individual case

should be effective, proportionate and dissuasive, we have come to that one
violation fee of two million - 2,000,000 - kroner is considered correct.

11. Complaint
You can appeal the decision. Any complaint must be sent to us by Monday 15 August
2022. If we uphold our decision, we will send the case to the Privacy Board for
complaint processing, cf. the Personal Data Act § 22.


12. Transparency and publicity
You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform

that all documents are in principle public, cf. the Public Access to Information Act § 3, but
emphasizes at the same time that security documentation is as a general rule exempt from public access, cf.
the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.

If you have any questions, you can contact caseworker Knut B. Kaspersen.




With best regards


Janne Stang Dahl
acting director
                                                                  Knut Brede Kaspersen

                                                                  legal director

The document is electronically approved and therefore has no handwritten signatures