Datatilsynet (Norway) - 20/03500
|Datatilsynet (Norway) - 20/03500|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 5(2) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
|Parties:||The Norwegian Parliament (Stortinget)|
|National Case Number/Name:||20/03500|
|European Case Law Identifier:||n/a|
|Original Language(s):||Norwegian |
|Original Source:||Datatilsynet (in NO) |
Datatilsynet (in NO)
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA fine the Parliament about €196,400 (NOK 2,000,000) for a data breach where perpetrators got access to employees' email accounts and health-related data, enabled by the lack of two-factor authentication and organizational measures.
English Summary[edit | edit source]
Facts[edit | edit source]
In the fall of 2020, the Norwegian Parliament (Stortinget) had a personal data breach related to employees' email accounts, discovered after an employee had been contacted by their bank about an attempt of misuse of their payment card abroad. The Parliament discovered that the perpetrators had downloaded various data, including personal data information about their bank accounts, birth dates and health-related data.
The Parliament had not enabled two-factor authentication in their email system, despite having identified the lack of such as a "high risk" in their risk analysis of March 2020. They had also identified a lack of security culture, low competency and little focus on data protection as very high risks.
When the DPA reviewed the risk analysis in May 2021, two-factor authentication was still not fully implemented. In their notification of a decision, the DPA noted that the Parliament's administration, represented by the Secretary General, was grossly negligent.
Holding[edit | edit source]
The DPA found that the Parliament, despite having identified several risks, lacked sufficient technical and organizational measures, including two-factor authentication, thus breaching Article 32(1)(b) GDPR and Article 32(1)(d), cf. Article 5(1)(f) GDPR.
For this, the DPA fined the Parliament about €196,400 (NOK 2 million).
Comment[edit | edit source]
Share comments here!
Further Resources[edit | edit source]
On 15 February 2022:the Norwegian DPA received a response from the Parliament (in Norwegian) with feedback on their decision.
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
THE PARLIAMENT PO Box 1700 Center 0026 OSLO Their reference Our reference Date 20 / 03500-10 04.03.2022 Decision on violation fee - Notification of deviation - The Storting 1 Introduction The Data Inspectorate refers to the submitted notification of 6 September 2020 of a breach personal data security, notification of infringement fee of 13 January 2022 and The Storting's response of 14 February 2022. We also refer to other correspondence and documentation that has been made available to us which can be linked to the relevant notification of a breach of personal data security. It the overall documentation forms the basis for the decision. It is the attack in 2020 that lies ahead reason for the decision. The events of March 2021 are of a different nature, and will not matter for this decision. In the following, Multi Factor Authentication (MFA), two-factor authentication and strong authentication means the same thing. In the following, these will be referred to under the collective term «Two-factor authentication». 2. The Data Inspectorate's comments on the Storting's response The Norwegian Data Protection Authority has noticed that the Storting acknowledges that IT security could have been better then the attack occurred. Secondly, the Storting's administration points out that the follow-up of ROS 2020 must be seen in the light of that the Storting's administration in the spring of 2020 was strongly affected by the pandemic and the shutdown that hit the country in early March 2020, and the subsequent one holiday settlement. It is also pointed out that the representatives of the Storting and the employees in the party groups were not subject to instruction authority from the Storting's director, and that this made the further process time consuming. The Data Inspectorate cannot see that these are factors that have a significant effect on whether or not violation fee must be given and the amount of this. Postal address: Office address: Telephone: Org.nr: Homepage: PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO, 3. Decision on infringement fine Based on the information in the case, the Data Inspectorate believes that the Storting has violated the rules on personal data security in the Privacy Ordinance: Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance Article 58 (2) (i), cf. Article 83, a violation fee of two shall be imposed on the Storting. million - 2,000,000 - kroner to the Treasury for not having carried out suitable technical and organizational measures, including two-factor authentication, to achieve a level of security which is suitable in terms of the risk of achieving lasting confidentiality, integrity and robustness, cf. Article 32 (1) (b) and (d) of the Privacy Regulation, cf. Article 5 No. 1 letter f). The background and reasons for the decision follow below. 4. The case On 2 September 2020, the Storting was informed that it had been exposed to a data breach (unauthorized login) linked to the email accounts of an unknown number of parliamentary representatives and employees in the administration and the group secretariats. It was one of the employees who notified the administration after the person in question had been contacted by his bank for an attempt misuse of payment cards abroad. Subsequent investigations revealed that attackers had downloaded different amounts of data and that this data could contain personal data originating from the employees concerned email account. It was in the deviation report to the Data Inspectorate and subsequent additional report informed that this included bank and account information, incl. personal information about third parties, birth number and health information. Possible consequences for those affected by the attack could be abuse of identity, abuse of payment cards and use of information for extortion. The Storting's administration later became aware that personal information from 13 email accounts could be lost. Those affected were informed and followed up to limit damage. People which were mentioned in the emails of the affected (third parties) were notified. As a result of the incident, the Storting implemented a number of risk-reducing and preventive measures measures. Among other things, new password requirements were introduced, the scope of security logging became expanded and mobile guidelines were updated. Work was also started on introduce two-factor authentication. In addition, training measures were implemented by employees to increase raising awareness of information security. The Storting has close contact with relevant security authorities in this matter. The relationship is reported to the police and PST is investigating the case. 2.5. Relevant legal rules and guidance on two-factor authentication as a security measure The discrepancies concern breaches of confidentiality, integrity and robustness. In the Privacy Ordinance Article 32 states: «Taking into account the technical development, the implementation costs and the nature of the treatment, the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and severity of the rights and freedoms of natural persons, the data controller and the data processor implement appropriate technical and organizational measures to achieve a level of security which is suitable in terms of risk, including, inter alia, as appropriate, a) pseudonymisation and encryption of personal data, b) ability to ensure lasting confidentiality, integrity, availability and robustness in treatment systems and services, c) ability to restore the availability and access to personal information in a timely manner if necessary a physical or technical event occurs, d) a process for regular testing, analysis and assessment of how effective the treatment is technical and organizational security measures are. " Article 5 (1) (f) of the Privacy Ordinance states that personal data «Shall be processed in a manner that ensures adequate security of personal data, including protection against unauthorized or illegal treatment and against accidental loss, destruction or damage, through the use of appropriate technical or organizational measures («integrity and confidentiality »)». Article 32 requires that a specific assessment of the risk to the physical be carried out persons' rights and freedoms, compared with probability and severity. The survey must be linked to the relevant business and their treatment of personal information. Furthermore, the provision requires that suitable technical and organizational measures to achieve an appropriate level of information security related to closer areas referred to in Article 32 (1) (a) to (d). This must be considered a duty to deal with and reduce the risks identified in the survey through the introduction of measures. These can either be technical measures in the form of physical security such as authentication solutions, or organizational measures in the form of, for example, routines and training of personnel. In the Data Inspectorate's assessment of what must be considered suitable measures, a company's own assessment of risk and necessary measures are given great weight. The Storting's administration, as the person responsible for processing, undertakes to familiarize itself with it regulations in the field of privacy, including the requirements for conducting risk assessments and implement necessary measures to achieve a satisfactory level of safety. This follows Article 5 (2) of the Privacy Regulation. We assume that there may be alternative measures to ensure sufficient and effective security level. The introduction of two-factor authentication is an example of security measures that are 3, recognized as efficient and easily accessible. In this connection, we refer to both the Danish Data Protection Agency and the National Security Authority (NSM) on their websites have published supplementary information on why and when two-factor authentication should or should be introduced. On NSM's website, clear recommendations have been given on the use of two - factor authentication creation of i.a. email account. NSM also recommends requirements for unique passwords per service. On the Data Inspectorate's website, we provide information on strong authentication as a security measure. It's called here: Many services are based only on something you know in the form of a username and password. Very many also use the same password on several different services. Something that makes you who use even more prone to others logging in like you on various services. Often a service will make demands on the complexity of the password such as requirements minimum length, requirements for the use of numbers, lowercase and uppercase letters, and possibly special characters. This may reduce the ability to guess passwords, but users have one tend to use the same type of pattern. Summer 2017 is a type of password that many unfortunately user. It is also common for users to reuse the same password more services. If the password should go astray, it does not matter where strong / complex password is. Unfortunately, there are many ways a password can get in the way weighs on. For example, leaks from other places where the user uses the same passwords, malware on the PC of users who pick up usernames and passwords, "Man in the middle" attacks and phishing attacks. Therefore, two-factor authentication is a much more secure solution. When using such authentication the consequences of usernames and passwords going astray will be far less. In Norway, we have seen examples of both political parties and schools having experienced that someone has acquired unauthorized access to systems due to lack of strong authentication. The Norwegian Data Protection Authority may impose the use of strong authentication if we consider that it is necessary to ensure safety. The Norwegian Data Protection Authority does not rule out that other measures may lead to a similar level of security as two-factor authentication. 6. The Data Inspectorate's assessment of the Storting's solution for authentication of users The Storting had not introduced a sufficient solution for two-factor authentication for all users of their email systems at the time of the security breach in September 2020. In the latter the version of the ROS analysis related to authentication that was completed in March 2020, was lack of two-factor authentication identified as "high risk" for unauthorized access. 4, The Storting's report of 8 December 2020 states that there is ongoing work to introduce two-factor authentication for users on all solutions where technically possible, including also email. We have also noted that a lack of safety culture was identified as a "high risk" for unauthorized access to the Storting's systems in the ROS analysis in 2020. In the ROS analysis concluding summary, it appears that it is perceived as challenging that different user groups are not subject to instruction authority from the Storting's administration. Lack of security culture, low competence and little focus on privacy are considered as one very high risk. In our view, the description in the ROS analysis reveals vulnerabilities that could have been compensated by organizational measures, as required by Article 32. Examples of such measures are mapping of employees' knowledge of information security and privacy, and targeted training of employees. As organizational measures, guidelines and routines for the use of the company's email account could be effective and necessary to reduce the risk posed by human factors. These should be part of the management system for privacy and information security, which is decided by the management of the business. The Data Inspectorate takes a serious view of the fact that no technical measures have been implemented by the Storting which could have prevented the violation, e.g. through the use of two-factor authentication. Missing or deficient security measures increase the likelihood of security breaches. The consequences can be very serious for the companies and their employees who are affected events like this. Attacks via employees' emails are considered a well-known and real attack vector by data security breach. Access to email accounts is a known method of accessing additional systems in a business. Secure authentication is considered a simple and essential security measure to reduce the risk for such attacks. In this case, the intruders have gained access to a number of the Storting's e-mail accounts due to lack of security measures. The Storting had previously carried out a risk assessment which concluded that two-factor authentication should be introduced. However, this has taken disproportionately long time. When the Data Inspectorate's reading of the ROS analysis in May 2021, the introduction of two-factor authentication completed. The Storting's lack of introduction of those security measures which the Storting itself has considered necessary in this area, has made the service become being less robust and vulnerable to attack. The Data Inspectorate believes it is clear that if necessary technical and organizational security measures had been implemented in the past time, the Storting's infrastructure would have been more robust, and the attack could have been avoided. 5, Lack of introduction of appropriate measures to deal with an identified vulnerability, in this case change of the authentication solution, in addition to deficient organizational measures, is considered to constitute a breach of Article 32 (1) (b) and (d) of the Privacy Regulation. They mentioned the provisions require the data controller to establish an appropriate level of safety to ensure lasting confidentiality, integrity, availability and robustness of the services. 7. The Privacy Regulation's rules on infringement fines The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public authorities and bodies infringement fines under the rules of the Privacy Regulation Article 58, cf. Article 83 (1) and (2). The right to impose infringement fines shall be a tool to ensure effective compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as punishment under Article 6 of the European Convention on Human Rights. The Norwegian Data Protection Authority therefore assumes that a clear probability preponderance is required for offense in order to impose a fee. The case and the question of imposing infringement fees are assessed on the basis of this evidentiary requirement. In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a administrative body, which addresses a committed violation of law, regulation or individual decision, which is considered a punishment under the European Convention on Human Rights (EMF). It is directly stated in the wording of the Penal Code § 27 that there is an objective criminal liability for enterprises. In a judgment of 5 April 2021 (HR-2021-797-A), the Supreme Court has ruled that objectively liability for corporate punishment is not compatible with the concept of punishment in the European Convention on Human Rights, as interpreted by the European Court of Human Rights. In a letter dated 2 June 2021, the Ministry of Local Government and Modernization has sent to the Ministry of Justice and the Ministry of Emergency Management's briefing of 12 May 2021 on the significance of this the Supreme Court ruling for administrative sanctions. The Ministry of Justice and Emergency Preparedness states following: «Pending the report on corporate penalties and any proposals for legislative amendments, we recommend that the ministries inform their underlying agencies about the Supreme Court decision, and that this for the time being is also used as a basis for imposing infringement charge against companies. This means that by the imposition of infringement fines against companies are required that the person who has acted on behalf of the company has shown general negligence. " Article 83 provides in principle that the imposition of an infringement fine depends on a discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure 6, that the imposition of infringement fines in each individual case is effective, is in a reasonable relation to the violation and acts as a deterrent. 8. The Data Inspectorate's assessment of whether an infringement fee should be imposed In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following moments: a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose of the action concerned and the number of data subjects affected, and the extent of the damage they have suffered Violations of personal data security include breaches of confidentiality, integrity and robustness. In this case, it must be concretely assumed that the elected representatives and the employees know The Storting has a clear and worthy of protection interest in having information about them processed in a safe way. Unauthorized access to the Storting's systems can have serious consequences for the individual and for other people's personal information that the mailboxes potentially contain. The event may have entails that the environment has access to information that the registered person (s) have not themselves chosen to make known, and it is unknown to what extent this information may have been disseminated. The breach of personal data security has meant that the representatives have lost control over the personal information contained in their email accounts. As a consequence of Inadequate security measures, there will be a probability that the elected representatives may be exposed for blackmail. The incident can also lead to unreliable information from fraudulent actors being sent based on the elected representatives' email accounts. We would also like to emphasize that we consider that this breach may have entailed a potential risk of greater attacks on the Storting as an institution, with the email system as the attack vector. General preventive reasons and the consideration that the rules should have effect and work as intended then speaks with force for a strict reaction, and for the imposition of an infringement fine. a) whether the violation was committed intentionally or negligently The case shows that there has been a failure in the Storting's administration to take care of the principle of liability that follows from the Privacy Ordinance, Article 5, no. 2. The Norwegian Data Protection Authority finds that the Storting's administration, through the Storting's director, has acted with gross negligence, cf. HR-2021-797-A, cf. also the Privacy Ordinance Article 5 No. 2, for not having implemented a solution for two-factor authentication when creating an email account for the elected representatives. The effect of secure authentication as a measure must be considered to be well known, compared with that of the Storting even had identified the high risk the lack of such a measure posed. Furthermore, we find it is reprehensible that the Storting did not follow up on the known vulnerability either organizational measures that to a certain extent could have remedied the technical deficiencies. b) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects 7, After the attack, new password requirements were introduced, extended scope of security logging, updated mobile device policies and started work on introduction of two-factor authentication. In addition, training measures were implemented by employees to raise awareness of information security. (c) the degree of responsibility of the controller or processor, taking into account to the technical and organizational measures they have implemented in accordance with Article 25 and 32 The Storting's administration took a significant risk as it did not create email accounts two-factor authentication was introduced; and has a responsibility that this was not done. That this was not done at the time of the second attack is an aggravating circumstance. d) any relevant previous violations committed by the data controller or the data processor There are no previous violations from the Storting's administration. e) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it There has been no cooperation between the Norwegian Data Protection Authority and the Storting's administration to remedy on the damage. f) the categories of personal data affected by the infringement Subsequent investigations revealed that the attackers had downloaded various amounts of data, including this included bank and account information, birth number, health information and personal information about third parties. This is stated in the submitted notification of 6 September 2020. It is an aggravating circumstance that health information has gone astray. g) the manner in which the supervisory authority became aware of the infringement, in particular whether and possibly to what extent the data controller or data processor has notified of the infringement The Storting notified the Norwegian Data Protection Authority of the breach of personal data security by notifying 6. September 2020. The Storting has further answered our requests for further information, as well as facilitated to give the Data Inspectorate access to relevant documentation in connection with our investigation of the case. (h) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter, that the said measures are complied with No measures have been taken before the Storting with regard to the same subject matter. (i) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 This is not relevant to the case. 8, j) any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement The Norwegian Data Protection Authority assumes that the Storting must be regarded as an attractive target for computer attacks, and that based on a risk assessment, a significantly stricter safety regime should have been added superficial. The ROS analysis describes various measures in the summary section, among others compulsory training in information security and documentation of completed training, as well as clarification of sanction options for own employees and agreements with party groups to be able to impose the same sanctions there. In an aggravating direction, it is assumed that a solution with two-factor authentication was not implemented in the solution, despite the fact that this must be considered a known and effective safety measures. The Storting had itself identified a lack of authentication as a vulnerability. 9. Overall assessment In the Data Inspectorate's assessment, the matter is important in principle. The Data Inspectorate considers it difficult serious that the Storting's administration has shown an inability to implement necessary security measures that the administration itself has identified the need for in the mapping of the risk of processing personal data. We emphasize that the Privacy Regulation requires that the results of such surveys be followed up with appropriate measures, and that is precisely this which is the purpose of conducting risk assessments, cf. the Privacy Ordinance Article 32 No. 1 letter b. The incident that triggered the message to The Norwegian Data Protection Authority and which forms the basis for the decision, could and should have been avoided if The Storting had implemented measures to remedy the vulnerabilities that were made known through the risk assessment. We assume that the Storting's administration has a vested interest in establishing the Storting computer systems in line with recommendations from national professional authorities. It's the administration who is responsible for the operation of these systems, and the responsibility for implementing them the safety measures necessary to make the systems robust, in accordance with the law requirements, cf. the Privacy Ordinance Article 5 No. 2, cf. Article 5 No. 1 letter f, cf. also Article 32 No. 1 letter b. Following an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that the Storting should be given one infringement fine. 10. The size of the fee In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that «As a starting point, the same rules for infringement fines shall apply public bodies as for private, as this is the scheme under current Personal Data Act. » 9, With regard to the amount of the fee, the same factors as when assessing whether the fee shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond the specific case, at the same time as the size of the fee must be in a reasonable proportion to the violation and the activity, cf. art. 83 No. 1. After an overall assessment of the circumstances of the case, and in particular with regard to the seriousness of the infringement and the legislation's requirement that the imposition of infringement fines in each individual case should be effective, proportionate and dissuasive, we have come to that one violation fee of two million - 2,000,000 - kroner is considered correct. 11. Complaint You can appeal the decision. Any complaint must be sent to us by Monday 15 August 2022. If we uphold our decision, we will send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22. 12. Transparency and publicity You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform that all documents are in principle public, cf. the Public Access to Information Act § 3, but emphasizes at the same time that security documentation is as a general rule exempt from public access, cf. the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2. If you have any questions, you can contact caseworker Knut B. Kaspersen. With best regards Janne Stang Dahl acting director Knut Brede Kaspersen legal director The document is electronically approved and therefore has no handwritten signatures