Datatilsynet (Norway) - 20/03500: Difference between revisions

From GDPRhub
(→‎Comment: added update)
(Updated with final decision)
 
(One intermediate revision by the same user not shown)
Line 11: Line 11:


|Original_Source_Name_1=Datatilsynet
|Original_Source_Name_1=Datatilsynet
|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/f72430ebb5734c1da295772c790225ed/varsel-om-vedtak-om-overtredelsesgebyr.pdf
|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/338d64f46fbb436aa61b0fc4d7b794da/stortinget-vedtak.pdf
|Original_Source_Language_1=Norwegian
|Original_Source_Language_1=Norwegian
|Original_Source_Language__Code_1=NO
|Original_Source_Language__Code_1=NO
|Original_Source_Name_2=Datatilsynet
|Original_Source_Name_2=Datatilsynet
|Original_Source_Link_2=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/varsel-om-overtredelsesgebyr-til-stortinget/
|Original_Source_Link_2=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/overtredelsesgebyr-til-stortinget/
|Original_Source_Language_2=Norwegian
|Original_Source_Language_2=Norwegian
|Original_Source_Language__Code_2=NO
|Original_Source_Language__Code_2=NO
Line 58: Line 58:
}}
}}


The Norwegian DPA published a draft decision setting out its intention to fine the Parliament about €196,400 (NOK 2,000,000) for a data breach where perpetrators got access to employees' email accounts and health-related data, enabled by the lack of two-factor authentication and organizational measures.
The Norwegian DPA fine the Parliament about €196,400 (NOK 2,000,000) for a data breach where perpetrators got access to employees' email accounts and health-related data, enabled by the lack of two-factor authentication and organizational measures.


== English Summary ==
== English Summary ==
Line 72: Line 72:
The DPA found that the Parliament, despite having identified several risks, lacked sufficient technical and organizational measures, including two-factor authentication, thus breaching [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 32 GDPR#1d|Article 32(1)(d)]], cf. [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].
The DPA found that the Parliament, despite having identified several risks, lacked sufficient technical and organizational measures, including two-factor authentication, thus breaching [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 32 GDPR#1d|Article 32(1)(d)]], cf. [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].


For this, the DPA intends to fine the Parliament about €196,400 (NOK 2 million). This is only a notification of a fine and the Parliament has three weeks to submit their views, after which the DPA will make their final decision.
For this, the DPA fined the Parliament about €196,400 (NOK 2 million).  


== Comment ==
== Comment ==
''Update 15/02/2022: the Norwegian DPA has received a response from Parliament with feedback on their decision. After the feedback has been reviewed, the DPA will make a final decision.''
''Share comments here!''


== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
''On 15 February 2022:the Norwegian DPA received [https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/stortingets-tilsvar-til-datatilsynet/ a response from the Parliament] (in Norwegian) with feedback on their decision.''


== English Machine Translation of the Decision ==
== English Machine Translation of the Decision ==
Line 86: Line 86:
  THE PARLIAMENT
  THE PARLIAMENT
  PO Box 1700 Center
  PO Box 1700 Center
                                                                Exempt from public:
  0026 OSLO
  0026 OSLO Offl. § 13 cf. Popplyl. § 24 (1) 2.


                                                                pkt.




Line 96: Line 94:




Their reference Our reference Date
                        20 / 03500-8 13.01.2022




Their reference Our reference Date
                        20 / 03500-10 04.03.2022


Notification of decision on infringement fine


Decision on violation fee - Notification of deviation - The Storting


1 Introduction
1 Introduction
The Norwegian Data Protection Authority refers to the submitted notification of 6 September 2020 of a breach


personal data security, as well as the Storting's response to the report of 8 December 2020.
The Data Inspectorate refers to the submitted notification of 6 September 2020 of a breach
personal data security, notification of infringement fee of 13 January 2022 and
The Storting's response of 14 February 2022.
 


We also refer to other correspondence and documentation that has been made available to us
We also refer to other correspondence and documentation that has been made available to us
which can be linked to the relevant notification of a breach of personal data security. It


which can be linked to the relevant notification of a breach of personal data security. It
the overall documentation forms the basis for the decision. It is the attack in 2020 that lies ahead
the overall documentation forms the basis for this notification of decision. It is attacked in 2020
reason for the decision. The events of March 2021 are of a different nature, and will not matter
which is the basis for the decision. The events of March 2021 are of a different nature, and will not
for this decision.
have significance for this decision.




In the following, Multi Factor Authentication (MFA), two-factor authentication and strong
In the following, Multi Factor Authentication (MFA), two-factor authentication and strong
authentication means the same thing. In the following, these will be referred to under the collective term
authentication means the same thing. In the following, these will be referred to under the collective term
«Two-factor authentication».
2. The Data Inspectorate's comments on the Storting's response
    The Norwegian Data Protection Authority has noticed that the Storting acknowledges that IT security could have been better then
    the attack occurred.
    Secondly, the Storting's administration points out that the follow-up of ROS 2020 must be seen in the light of
    that the Storting's administration in the spring of 2020 was strongly affected by the pandemic and
    the shutdown that hit the country in early March 2020, and the subsequent one
    holiday settlement. It is also pointed out that the representatives of the Storting and the employees in
    the party groups were not subject to instruction authority from the Storting's director, and that
    this made the further process time consuming.
    The Data Inspectorate cannot see that these are factors that have a significant effect on whether or not
    violation fee must be given and the amount of this.


«Two-factor authentication».


2. Notification of decision on infringement fee


This is a notification pursuant to the Public Administration Act § 16 that the Norwegian Data Protection Authority is considering the following
Postal address: Office address: Telephone: Org.nr: Homepage:
decision on infringement fine:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, 3. Decision on infringement fine


    Based on the information in the case, the Data Inspectorate believes that the Storting has violated the rules on
    personal data security in the Privacy Ordinance:


     Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance
     Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance
     Article 58 (2) (i), cf. Article 83, a violation fee of two shall be imposed on the Storting.
     Article 58 (2) (i), cf. Article 83, a violation fee of two shall be imposed on the Storting.
     million - 2,000,000 - kroner to the Treasury for not having carried out suitable technical
     million - 2,000,000 - kroner to the Treasury for not having carried out suitable technical
     and organizational measures, including two-factor authentication, to achieve a level of security
     and organizational measures, including two-factor authentication, to achieve a level of security
     which is suitable in terms of the risk of achieving lasting confidentiality, integrity
     which is suitable in terms of the risk of achieving lasting confidentiality, integrity
     and robustness, cf. the Privacy Ordinance Article 32 No. 1 letter b) and d), cf. Article 5
     and robustness, cf. Article 32 (1) (b) and (d) of the Privacy Regulation, cf. Article 5
    No. 1 letter f).


    No. 1 letter f).


The background and reasons for the decision follow below.
The background and reasons for the decision follow below.




4. The case


Postal address: Office address: Telephone: Org.nr: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO3. The case
On 2 September 2020, the Storting was informed that it had been exposed to a data breach
On 2 September 2020, the Storting was informed that it had been exposed to a data breach
(unauthorized login) linked to the email accounts of an unknown number of parliamentary representatives and
(unauthorized login) linked to the email accounts of an unknown number of parliamentary representatives and
employees in the administration and the group secretariats. It was one of the employees who gave notice
employees in the administration and the group secretariats. It was one of the employees who notified
the administration after the person in question had been contacted by his bank for an attempt
the administration after the person in question had been contacted by his bank for an attempt
misuse of payment cards abroad.
misuse of payment cards abroad.


Subsequent investigations revealed that attackers had downloaded different amounts of data and that
Subsequent investigations revealed that attackers had downloaded different amounts of data and that
this data could contain personal data originating from the employees concerned
this data could contain personal data originating from the employees concerned
email account. It was in the deviation report to the Data Inspectorate and subsequent additional report
email account. It was in the deviation report to the Data Inspectorate and subsequent additional report
Line 160: Line 178:
personal information about third parties, birth number and health information.
personal information about third parties, birth number and health information.


Possible consequences for those affected by the attack could be abuse of identity, abuse of
payment cards and use of information for extortion.


Possible consequences for those affected by the attack may be abuse of identity, abuse of
payment cards and use of information for extortion.


The Storting's administration later became aware that personal information from 13 email accounts
The Storting's administration later became aware that personal information from 13 email accounts
could be lost. Those affected were informed and followed up to limit damage. People
could be lost. Those affected were informed and followed up to limit damage. People
which were mentioned in the emails of the affected (third parties) were notified.
which were mentioned in the emails of the affected (third parties) were notified.


As a result of the incident, the Storting implemented a number of risk-reducing and preventive measures
As a result of the incident, the Storting implemented a number of risk-reducing and preventive measures
measures. Among other things, new password requirements were introduced, the scope of security logging became
measures. Among other things, new password requirements were introduced, the scope of security logging became
expanded and mobile device guidelines were updated. Work was also started on
 
expanded and mobile guidelines were updated. Work was also started on
introduce two-factor authentication. In addition, training measures were implemented by employees to increase
introduce two-factor authentication. In addition, training measures were implemented by employees to increase
raising awareness of information security.
raising awareness of information security.


The Storting has close contact with relevant security authorities in this matter. The relationship is
The Storting has close contact with relevant security authorities in this matter. The relationship is
reported to the police and PST is investigating the case.
reported to the police and PST is investigating the case.


4. Relevant legal rules and guidance on two-factor authentication as a security measure


                                                                                                  2.5. Relevant legal rules and guidance on two-factor authentication as a security measure
The discrepancies concern breaches of confidentiality, integrity and robustness. In the Privacy Ordinance
The discrepancies concern breaches of confidentiality, integrity and robustness. In the Privacy Ordinance
Article 32 states:
Article 32 states:
Line 186: Line 207:
«Taking into account the technical development, the implementation costs and the nature of the treatment,
«Taking into account the technical development, the implementation costs and the nature of the treatment,
the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and
the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and
severity of the rights and freedoms of natural persons, the person responsible for treatment and
severity of the rights and freedoms of natural persons, the data controller and
 
the data processor implement appropriate technical and organizational measures to achieve a level of security
the data processor implement appropriate technical and organizational measures to achieve a level of security
which is suitable in terms of risk, including, inter alia, as appropriate,
which is suitable in terms of risk, including, inter alia, as appropriate,
     a) pseudonymisation and encryption of personal data,
     a) pseudonymisation and encryption of personal data,
     b) ability to ensure lasting confidentiality, integrity, availability and robustness in
     b) ability to ensure lasting confidentiality, integrity, availability and robustness in
         treatment systems and services,
         treatment systems and services,
     c) ability to restore the availability and access to personal information in a timely manner if any
     c) ability to restore the availability and access to personal information in a timely manner if necessary
 
         a physical or technical event occurs,
         a physical or technical event occurs,
     d) a process for regular testing, analysis and assessment of how effective the treatment is
     d) a process for regular testing, analysis and assessment of how effective the treatment is
         technical and organizational security measures are. "
         technical and organizational security measures are. "


Article 5 (1) (f) of the Privacy Ordinance states that personal data
«Shall be processed in a manner that ensures adequate security of personal data,
including protection against unauthorized or illegal treatment and against accidental loss, destruction or


                                                                                                2In the Privacy Ordinance Article 5 No. 1 letter f) it is stated that personal data
«Shall be processed in a manner that ensures adequate security of personal data,
including protection against unauthorized or unlawful treatment and against unintentional loss, destruction or
damage, through the use of appropriate technical or organizational measures («integrity and
damage, through the use of appropriate technical or organizational measures («integrity and
confidentiality »)».
confidentiality »)».


Article 32 requires that a specific assessment of the risk to the physical be carried out
persons' rights and freedoms, compared with probability and severity.
The survey must be linked to the relevant business and their treatment of


Article 32 requires that a specific assessment of the risk to the physical be carried out
rights and freedoms of persons, in relation to the degree of probability and seriousness.
The mapping must be linked to the relevant business and their treatment of
personal information.
personal information.


Furthermore, the provision stipulates that suitable technical and
Furthermore, the provision requires that suitable technical and
organizational measures to achieve an appropriate level of information security related to closer
organizational measures to achieve an appropriate level of information security related to closer
areas referred to in Article 32 (1) (a) to (d). This must be considered a duty to deal with
areas referred to in Article 32 (1) (a) to (d). This must be considered a duty to deal with
and reduce the risks identified in the survey through the introduction of measures. These can
and reduce the risks identified in the survey through the introduction of measures. These can
either be technical measures in the form of physical security such as
either be technical measures in the form of physical security such as
authentication solutions, or organizational measures in the form of, for example, routines and
authentication solutions, or organizational measures in the form of, for example, routines and
training of personnel.
training of personnel.


In the Data Inspectorate's assessment of what must be regarded as suitable measures, a company's own
In the Data Inspectorate's assessment of what must be considered suitable measures, a company's own
assessment of risk and necessary measures are given great weight.


assessment of risk and necessary measures are given great weight.
The Storting's administration, as the person responsible for processing, undertakes to familiarize itself with it


As the person responsible for processing, the Storting's administration undertakes to familiarize itself with
regulations in the field of privacy, including the requirements for conducting risk assessments and
regulations in the field of privacy, including the requirements for conducting risk assessments and
implement necessary measures to achieve a satisfactory level of safety. This follows from
implement necessary measures to achieve a satisfactory level of safety. This follows
Article 5 (2) of the Privacy Regulation.
Article 5 (2) of the Privacy Regulation.


We assume that there may be alternative measures to ensure sufficient and effective
We assume that there may be alternative measures to ensure sufficient and effective
security level. The introduction of two-factor authentication is an example of security measures that are
security level. The introduction of two-factor authentication is an example of security measures that are
recognized as efficient and easily accessible. In this connection, we refer to both the Danish Data Protection Agency
 
 
 
 
                                                                                                  3, recognized as efficient and easily accessible. In this connection, we refer to both the Danish Data Protection Agency
and the National Security Authority (NSM) on their websites have published supplementary
and the National Security Authority (NSM) on their websites have published supplementary
information on why and when two-factor authentication should or should be introduced.
information on why and when two-factor authentication should or should be introduced.


On NSM's website, clear recommendations have been given on the use of two - factor authentication
creation of i.a. email account. NSM also recommends requirements for unique passwords per service.


On NSM's website, clear recommendations have been given on the use of two-factor authentication
creation of i.a. email account. NSM also recommends requirements for unique passwords per service.


On the Data Inspectorate's website, we provide information on strong authentication as a security measure. It's called
On the Data Inspectorate's website, we provide information on strong authentication as a security measure. It's called
Line 247: Line 269:


         Many services are based only on something you know in the form of a username and password.
         Many services are based only on something you know in the form of a username and password.
        Very many also use the same password on several different services. Something that makes you
        who use even more prone to others logging in like you on various services.


        Very many also use the same password on several different services. Something that makes you
        who use even more prone to others logging in as you on various services.


         Often a service will make demands on the complexity of the password such as requirements
         Often a service will make demands on the complexity of the password such as requirements
         minimum length, requirement to use numbers, lowercase and uppercase letters, and possibly
         minimum length, requirements for the use of numbers, lowercase and uppercase letters, and possibly
 
        special characters. This may reduce the ability to guess passwords, but users have one
 
 
 
                                                                                                3 special characters. This may reduce the ability to guess passwords, but users have one
         tend to use the same type of pattern. Summer 2017 is a type of password that many
         tend to use the same type of pattern. Summer 2017 is a type of password that many
         unfortunately user. It is also common for users to reuse the same password
         unfortunately user. It is also common for users to reuse the same password
         more services.
         more services.


         If the password should go astray, it does not matter where
         If the password should go astray, it does not matter where
         strong / complex password is. Unfortunately, there are many ways a password can get in the way
         strong / complex password is. Unfortunately, there are many ways a password can get in the way
         weighs on. For example, leaks from other places where the user uses the same
         weighs on. For example, leaks from other places where the user uses the same
         passwords, malware on the PC of users who pick up usernames and passwords,
         passwords, malware on the PC of users who pick up usernames and passwords,
         "Man in the middle" attacks and phishing attacks.
         "Man in the middle" attacks and phishing attacks.


         Therefore, two-factor authentication is a much more secure solution. When using such authentication
         Therefore, two-factor authentication is a much more secure solution. When using such authentication
         the consequences of usernames and passwords going astray will be far less.
         the consequences of usernames and passwords going astray will be far less.


 
         In Norway, we have seen examples of both political parties and schools having experienced that someone
         In Norway, we have seen examples of both political parties and schools experiencing that someone
         has acquired unauthorized access to systems due to lack of strong authentication.
         has acquired unauthorized access to systems due to lack of strong authentication.


         The Norwegian Data Protection Authority may impose the use of strong authentication if we consider that it is
         The Norwegian Data Protection Authority may impose the use of strong authentication if we consider that it is
         necessary to ensure safety.
         necessary to ensure safety.


The Norwegian Data Protection Authority does not rule out that other measures may lead to a similar level of security as
The Norwegian Data Protection Authority does not rule out that other measures may lead to a similar level of security as
two-factor authentication.
two-factor authentication.


5. The Data Inspectorate's assessment of the Storting's solution for authentication of users
6. The Data Inspectorate's assessment of the Storting's solution for authentication of users
The Storting had not introduced two-factor authentication for users of their e-mail systems
 
The Storting had not introduced a sufficient solution for two-factor authentication for all users
of their email systems at the time of the security breach in September 2020. In the latter
the version of the ROS analysis related to authentication that was completed in March 2020, was
lack of two-factor authentication identified as "high risk" for unauthorized access.
 
 
 


the time of the security breach in September 2020. In the latest version of the ROS analysis
related to authentication that was completed in March 2020, there was a lack of two-factor authentication
identified as "high risk" for unauthorized access.


The Storting's report of 8 December 2020 states that there is ongoing work to
 
                                                                                                4, The Storting's report of 8 December 2020 states that there is ongoing work to
introduce two-factor authentication for users on all solutions where technically possible, including
introduce two-factor authentication for users on all solutions where technically possible, including
also email.
also email.


We have also noted that a lack of safety culture was identified as a "high risk" for
We have also noted that a lack of safety culture was identified as a "high risk" for
unauthorized access to the Storting's systems in the ROS analysis in 2020. In the ROS analysis
unauthorized access to the Storting's systems in the ROS analysis in 2020. In the ROS analysis
concluding summary, it appears that it is perceived as challenging that different
concluding summary, it appears that it is perceived as challenging that different
user groups are not subject to instruction authority from the Storting's administration.
user groups are not subject to instruction authority from the Storting's administration.
Lack of security culture, low competence and little focus on privacy are considered as one
Lack of security culture, low competence and little focus on privacy are considered as one
very high risk.
very high risk.


In our view, the description in the ROS analysis reveals vulnerabilities that could have been
In our view, the description in the ROS analysis reveals vulnerabilities that could have been
compensated by organizational measures, as required by Article 32. Examples of such measures are
compensated by organizational measures, as required by Article 32. Examples of such measures are
mapping of employees' knowledge of information security and privacy, and targeted
mapping of employees' knowledge of information security and privacy, and targeted
training of employees.
training of employees.


 
As organizational measures, guidelines and routines for the use of the company's email account
 
 
 
 
                                                                                              4As organizational measures, guidelines and routines for using the company's email account
could be effective and necessary to reduce the risk posed by human factors.
could be effective and necessary to reduce the risk posed by human factors.
These should be part of the management system for privacy and information security, which is
These should be part of the management system for privacy and information security, which is
decided by the management of the business.
decided by the management of the business.


The Norwegian Data Protection Authority is serious about the fact that no technical measures have been implemented by the Storting
 
The Data Inspectorate takes a serious view of the fact that no technical measures have been implemented by the Storting
which could have prevented the violation, e.g. through the use of two-factor authentication.
which could have prevented the violation, e.g. through the use of two-factor authentication.
Missing or deficient security measures increase the likelihood of security breaches.
Missing or deficient security measures increase the likelihood of security breaches.
The consequences can be very serious for the companies and their employees who are affected
The consequences can be very serious for the companies and their employees who are affected
Line 326: Line 344:


Attacks via employees' emails are considered a well-known and real attack vector by
Attacks via employees' emails are considered a well-known and real attack vector by
data security breach. Access to email accounts is a known method of accessing additional
data security breach. Access to email accounts is a known method of accessing additional
systems in a business.
systems in a business.


Secure authentication is considered a simple and essential security measure to reduce the risk
Secure authentication is considered a simple and essential security measure to reduce the risk
for such attacks.
for such attacks.


In this case, the intruders have gained access to a number of the Storting's e-mail accounts due to
In this case, the intruders have gained access to a number of the Storting's e-mail accounts due to
lack of security measures. The Storting had previously carried out a risk assessment which
lack of security measures. The Storting had previously carried out a risk assessment which
concluded that two-factor authentication should be introduced. However, this has taken
concluded that two-factor authentication should be introduced. However, this has taken
disproportionately long time.
disproportionately long time.


When the Data Inspectorate's reading of the ROS analysis in May 2021, the introduction of
When the Data Inspectorate's reading of the ROS analysis in May 2021, the introduction of
two-factor authentication completed. The Storting's lack of introduction of those security measures
two-factor authentication completed. The Storting's lack of introduction of those security measures
which the Storting itself has considered necessary in this area, has made the service become
which the Storting itself has considered necessary in this area, has made the service become
being less robust and vulnerable to attack. The Data Inspectorate believes it is clear that if
being less robust and vulnerable to attack. The Data Inspectorate believes it is clear that if
necessary technical and organizational security measures had been implemented in the past
necessary technical and organizational security measures had been implemented in the past
time, the Storting's infrastructure would have been more robust, and the attack could have been
time, the Storting's infrastructure would have been more robust, and the attack could have been
avoided.
avoided.


Lack of introduction of appropriate measures to deal with an identified vulnerability, in this case
 
 
 
                                                                                                5, Lack of introduction of appropriate measures to deal with an identified vulnerability, in this case
change of the authentication solution, in addition to deficient organizational measures, is considered to
change of the authentication solution, in addition to deficient organizational measures, is considered to
constitute a breach of Article 32 (1) (b) and (d) of the Privacy Regulation. They mentioned
constitute a breach of Article 32 (1) (b) and (d) of the Privacy Regulation. They mentioned
the provisions require the data controller to establish an appropriate level of safety
the provisions require the data controller to establish an appropriate level of safety
to ensure lasting confidentiality, integrity, availability and robustness of the services.
to ensure lasting confidentiality, integrity, availability and robustness of the services.


6. The Privacy Regulation's rules on infringement fines
 
7. The Privacy Regulation's rules on infringement fines
The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public
The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public
authorities and bodies infringement fines under the rules of the Privacy Regulation Article
authorities and bodies infringement fines under the rules of the Privacy Regulation Article
58, cf. Article 83 (1) and (2).
58, cf. Article 83 (1) and (2).


The right to impose infringement fines shall be a tool to ensure effective
The right to impose infringement fines shall be a tool to ensure effective
Line 365: Line 386:
punishment under Article 6 of the European Convention on Human Rights.
punishment under Article 6 of the European Convention on Human Rights.


The Norwegian Data Protection Authority therefore assumes that a clear probability preponderance is required for
offense in order to impose a fee. The case and the question of imposing
infringement fees are assessed on the basis of this evidentiary requirement.


                                                                                                5Datatilsynet therefore assumes that a clear preponderance of probabilities is required
offense in order to impose a fee. The case and the question of imposing
infringement fines are assessed on the basis of this evidentiary requirement.


In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.
In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.
By an administrative sanction is meant a negative reaction that can be imposed by a
By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual
administrative body, which addresses a committed violation of law, regulation or individual
decision, which is considered a punishment under the European Convention on Human Rights
(EMF).


decision, which is considered a punishment under the European Convention on Human Rights
(EMK).


It is directly stated in the wording of the Penal Code § 27 that there is an objective criminal liability for
It is directly stated in the wording of the Penal Code § 27 that there is an objective criminal liability for
companies. In a judgment of 5 April 2021 (HR-2021-797-A), the Supreme Court has ruled that objectively
enterprises. In a judgment of 5 April 2021 (HR-2021-797-A), the Supreme Court has ruled that objectively
liability for corporate punishment is not compatible with the concept of punishment in the European
liability for corporate punishment is not compatible with the concept of punishment in the European
Convention on Human Rights, as interpreted by the European Court of Human Rights.
Convention on Human Rights, as interpreted by the European Court of Human Rights.


In a letter dated 2 June 2021, the Ministry of Local Government and Modernization has sent to the Ministry of Justice and


In a letter dated 2 June 2021, the Ministry of Local Government and Modernization has sent to the Ministry of Justice and
the Ministry of Emergency Management's briefing of 12 May 2021 on the significance of this
the Ministry of Emergency Management's briefing of 12 May 2021 on the significance of this
the Supreme Court ruling for administrative sanctions. The Ministry of Justice and Emergency Preparedness states
the Supreme Court ruling for administrative sanctions. The Ministry of Justice and Emergency Preparedness states
following:
following:


         «Pending the report on corporate penalties and any proposals for legislative amendments,
         «Pending the report on corporate penalties and any proposals for legislative amendments,
         we recommend that the ministries inform their underlying agencies about the Supreme Court
         we recommend that the ministries inform their underlying agencies about the Supreme Court
         decision, and that this for the time being is also used as a basis for imposing
         decision, and that this for the time being is also used as a basis for imposing
         infringement charge against companies. This means that by the imposition of
         infringement charge against companies. This means that by the imposition of
Line 399: Line 417:
         the company has shown general negligence. "
         the company has shown general negligence. "


Article 83 provides in principle that the imposition of an infringement fine depends on a
discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting


Article 83 provides in principle that the imposition of infringement fines depends on a
discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting
moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure
moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure
that the imposition of infringement fines in each individual case is effective is stated in a reasonable
 
 
 
                                                                                                6, that the imposition of infringement fines in each individual case is effective, is in a reasonable
relation to the violation and acts as a deterrent.
relation to the violation and acts as a deterrent.


 
8. The Data Inspectorate's assessment of whether an infringement fee should be imposed
7. The Data Inspectorate's assessment of whether an infringement fee should be imposed
In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following
In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following
moments:
moments:


a) the nature, severity and duration of the infringement, taking into account
a) the nature, severity and duration of the infringement, taking into account
    the nature, extent or purpose of the action concerned and the number of data subjects affected,
    and the extent of the damage they have suffered


    the nature, extent or purpose of the act concerned or the number of data subjects affected,
    and the extent of the damage they have suffered
Violations of personal data security include breaches of confidentiality, integrity and
Violations of personal data security include breaches of confidentiality, integrity and
robustness. In this case, it must be specifically assumed that the elected representatives and the employees know
robustness. In this case, it must be concretely assumed that the elected representatives and the employees know
The Storting has a clear and worthy of protection interest in having information about them processed
The Storting has a clear and worthy of protection interest in having information about them processed
in a safe way.
in a safe way.


Unauthorized access to the Storting's systems can have serious consequences for the individual and
for other people's personal information that the mailboxes potentially contain. The event may have


 
entails that the environment has access to information that the registered person (s) have not themselves chosen to
 
 
                                                                                              6Authorized access to the Storting's systems can have serious consequences for the individual and
for other people's personal information that the mailboxes potentially contain. The event may have
entails that the surroundings have access to information that the registered person (s) have not themselves chosen to
make known, and it is unknown to what extent this information may have been disseminated.
make known, and it is unknown to what extent this information may have been disseminated.


The breach of personal data security has meant that the representatives have lost control
The breach of personal data security has meant that the representatives have lost control
over the personal information contained in their email accounts. As a consequence of
over the personal information contained in their email accounts. As a consequence of
Inadequate security measures, there will be a probability that the elected representatives may be exposed
for blackmail. The incident can also lead to unreliable information from fraudulent actors being sent


Inadequate security measures, there will be a probability that the elected representatives may be exposed
for blackmail. The incident may also result in unreliable information being sent from fraudulent actors
based on the elected representatives' email accounts.
based on the elected representatives' email accounts.


We would also like to emphasize that we consider that this breach may have entailed a potential risk of greater
We would also like to emphasize that we consider that this breach may have entailed a potential risk of greater
attacks on the Storting as an institution, with the email system as the attack vector.
attacks on the Storting as an institution, with the email system as the attack vector.


General preventive reasons and the consideration that the rules should have effect and work as intended
General preventive reasons and the consideration that the rules should have effect and work as intended
speaks then with force for a strict reaction, and for the imposition of an infringement fine.


b) whether the infringement was committed intentionally or negligently
then speaks with force for a strict reaction, and for the imposition of an infringement fine.


a) whether the violation was committed intentionally or negligently
The case shows that there has been a failure in the Storting's administration to take care of
The case shows that there has been a failure in the Storting's administration to take care of
the principle of liability that follows from the Privacy Ordinance, Article 5, no. 2. The Norwegian Data Protection Authority
the principle of liability that follows from the Privacy Ordinance, Article 5, no. 2. The Norwegian Data Protection Authority
finds that the Storting's administration, through the Storting's director, has acted with gross negligence, cf.
finds that the Storting's administration, through the Storting's director, has acted with gross negligence, cf.
HR-2021-797-A, cf. also the Privacy Ordinance Article 5 No. 2, for not having implemented
HR-2021-797-A, cf. also the Privacy Ordinance Article 5 No. 2, for not having implemented
Line 453: Line 470:
of secure authentication as a measure must be considered to be well known, compared with that of the Storting
of secure authentication as a measure must be considered to be well known, compared with that of the Storting
even had identified the high risk the lack of such a measure posed. Furthermore, we find
even had identified the high risk the lack of such a measure posed. Furthermore, we find
it is reprehensible that the Storting did not follow up on the known vulnerability either
organizational measures that to a certain extent could have remedied the technical deficiencies.


it is reprehensible that the Storting did not follow up on the known vulnerability either
organizational measures which to a certain extent could have remedied the technical deficiencies.


c) any measures taken by the data controller or data processor to
b) any measures taken by the data controller or data processor to
     limit the damage suffered by the data subjects
     limit the damage suffered by the data subjects


After the attack, new password requirements were introduced, the scope of which was expanded
 
security logging, updated guidelines for mobile devices and started work on
 
 
                                                                                                7, After the attack, new password requirements were introduced, extended scope of
security logging, updated mobile device policies and started work on
introduction of two-factor authentication. In addition, training measures were implemented by employees to
introduction of two-factor authentication. In addition, training measures were implemented by employees to
raise awareness of information security.
raise awareness of information security.


(c) the degree of responsibility of the controller or processor, taking into account
    to the technical and organizational measures they have implemented in accordance with Article 25 and


d) the degree of responsibility of the data controller or data processor, taking into account
    to the technical and organizational measures they have implemented in accordance with Article 25 and
     32
     32
The Storting's administration took a significant risk as it did not create email accounts
The Storting's administration took a significant risk as it did not create email accounts
two-factor authentication was introduced; and has a responsibility that this was not done. That this was not
two-factor authentication was introduced; and has a responsibility that this was not done. That this was not
done at the time of the second attack is an aggravating circumstance.
done at the time of the second attack is an aggravating circumstance.


e) any relevant previous violations committed by the data controller or
 
d) any relevant previous violations committed by the data controller or
     the data processor
     the data processor
There are no previous violations from the Storting's administration.
There are no previous violations from the Storting's administration.




 
e) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
                                                                                                7f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
     possible negative effects of it
     possible negative effects of it
There has been no cooperation between the Norwegian Data Protection Authority and the Storting's administration to remedy
There has been no cooperation between the Norwegian Data Protection Authority and the Storting's administration to remedy
Line 487: Line 505:




g) the categories of personal data affected by the infringement
f) the categories of personal data affected by the infringement
Subsequent investigations revealed that the attackers had downloaded various amounts of data, including
Subsequent investigations revealed that the attackers had downloaded various amounts of data, including
this included bank and account information, birth number, health information and
this included bank and account information, birth number, health information and
personal information about third parties. This is stated in the submitted notification of 6 September 2020.


personal information about third parties. This is stated in the submitted notification of 6 September 2020.
It is an aggravating circumstance that health information has gone astray.
It is an aggravating circumstance that health information has gone astray.


h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
g) the manner in which the supervisory authority became aware of the infringement, in particular whether and
     possibly to what extent the data controller or data processor has
     possibly to what extent the data controller or data processor has
     notified of the infringement
     notified of the infringement
Line 503: Line 521:
investigation of the case.
investigation of the case.


(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
(h) if the measures referred to in Article 58 (2) have previously been taken against the person concerned


     data controller or data processor with respect to the same subject matter, that
     data controller or data processor with respect to the same subject matter, that
Line 509: Line 527:
No measures have been taken before the Storting with regard to the same subject matter.
No measures have been taken before the Storting with regard to the same subject matter.


(i) compliance with approved standards of conduct in accordance with Article 40 or approved


(j) compliance with approved standards of conduct in accordance with Article 40 or approved
     certification mechanisms in accordance with Article 42
     certification mechanisms in accordance with Article 42
This is not relevant to the case.
This is not relevant to the case.


k) any other aggravating or mitigating factor in the case, e.g. economic benefits


                                                                                              8, j) any other aggravating or mitigating factor in the case, e.g. economic benefits
     which have been obtained, or losses which have been avoided, directly or indirectly, as a result of
     which have been obtained, or losses which have been avoided, directly or indirectly, as a result of
     the infringement
     the infringement
Line 529: Line 550:
implemented in the solution, despite the fact that this must be considered a known and effective
implemented in the solution, despite the fact that this must be considered a known and effective


safety measures. The Storting itself had identified a lack of authentication as a vulnerability.
safety measures. The Storting had itself identified a lack of authentication as a vulnerability.
 
 
 




9. Overall assessment
In the Data Inspectorate's assessment, the matter is important in principle. The Data Inspectorate considers it difficult


                                                                                              88. Overall assessment
In the Data Inspectorate's assessment, the case is important in principle. The Data Inspectorate considers it difficult
serious that the Storting's administration has shown an inability to implement necessary
serious that the Storting's administration has shown an inability to implement necessary
security measures that the administration itself has identified the need for in the mapping of
security measures that the administration itself has identified the need for in the mapping of
the risk of processing personal data. We emphasize that the Privacy Regulation
the risk of processing personal data. We emphasize that the Privacy Regulation
requires that the results of such surveys be followed up with appropriate measures, and that
requires that the results of such surveys be followed up with appropriate measures, and that
is precisely this which is the purpose of conducting risk assessments, cf.
is precisely this which is the purpose of conducting risk assessments, cf.
the Privacy Ordinance Article 32 No. 1 letter b. The incident that triggered the message to
the Privacy Ordinance Article 32 No. 1 letter b. The incident that triggered the message to
The Norwegian Data Protection Authority and which forms the basis for this notification could and should have been avoided
The Norwegian Data Protection Authority and which forms the basis for the decision, could and should have been avoided if
if the Storting had implemented measures to remedy the vulnerabilities that were made known
through the risk assessment.


The Storting had implemented measures to remedy the vulnerabilities that were made known through
the risk assessment.


We assume that the Storting's administration has a vested interest in establishing the Storting
We assume that the Storting's administration has a vested interest in establishing the Storting
computer systems in line with recommendations from national professional authorities. It's the administration
computer systems in line with recommendations from national professional authorities. It's the administration
who is responsible for the operation of these systems, and the responsibility for implementing them
who is responsible for the operation of these systems, and the responsibility for implementing them
the safety measures necessary to make the systems robust, in accordance with the law
the safety measures necessary to make the systems robust, in accordance with the law
requirements, cf. the Privacy Ordinance Article 5 No. 2, cf. Article 5 No. 1 letter f, cf. also Article
requirements, cf. the Privacy Ordinance Article 5 No. 2, cf. Article 5 No. 1 letter f, cf. also Article
32 No. 1 letter b.
32 No. 1 letter b.


Following an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that the Storting should be given one
Following an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that the Storting should be given one
infringement fine.
infringement fine.


9. The size of the fee
 
10. The size of the fee
In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that
In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that


         «As a starting point, the same rules for infringement fines shall apply
         «As a starting point, the same rules for infringement fines shall apply
         public bodies as for private, as this is the scheme under current
         public bodies as for private, as this is the scheme under current
         Personal Data Act. »
         Personal Data Act. »


With regard to the size of the fee, the same factors shall apply as when assessing whether the fee
 
 
 
 
 
                                                                                                9, With regard to the amount of the fee, the same factors as when assessing whether the fee
shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond
shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond
the specific case, at the same time as the size of the fee must be in a reasonable proportion to
the specific case, at the same time as the size of the fee must be in a reasonable proportion to
the violation and the activity, cf. art. 83 No. 1.
the violation and the activity, cf. art. 83 No. 1.
Line 577: Line 599:
After an overall assessment of the circumstances of the case, and in particular with regard to the seriousness of
After an overall assessment of the circumstances of the case, and in particular with regard to the seriousness of
the infringement and the legislation's requirement that the imposition of infringement fines in each individual case
the infringement and the legislation's requirement that the imposition of infringement fines in each individual case
should be effective, proportionate and dissuasive, we have come to that one
should be effective, proportionate and dissuasive, we have come to that one
violation fee of two million - 2,000,000 - kroner is considered correct.
violation fee of two million - 2,000,000 - kroner is considered correct.


 
11. Complaint
10. Concluding remarks
You can appeal the decision. Any complaint must be sent to us by Monday 15 August
We point out that this is a prior notice, and not a final decision, cf. § 16.
2022. If we uphold our decision, we will send the case to the Privacy Board for
If you have comments on this notice, we ask that these be sent to us within three weeks
complaint processing, cf. the Personal Data Act § 22.
after this letter is received. Deadline for feedback is February 14, 2022.
 
 




12. Transparency and publicity
You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform


 
that all documents are in principle public, cf. the Public Access to Information Act § 3, but
 
emphasizes at the same time that security documentation is as a general rule exempt from public access, cf.
                                                                                                911. Transparency and publicity
You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform
that all the documents are in principle public, cf. the Public Access to Information Act § 3, but
emphasizes at the same time that safety documentation is as a general rule exempt from public access, cf.
the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.
the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.


If you have any questions, you can contact caseworker Knut B. Kaspersen.
If you have any questions, you can contact caseworker Knut B. Kaspersen.
With best regards
Bjørn Erik Thon
director
                                                                Knut Brede Kaspersen
                                                                legal director
The document is electronically approved and therefore has no handwritten signature.








With best regards




Janne Stang Dahl
acting director
                                                                  Knut Brede Kaspersen


                                                                  legal director


The document is electronically approved and therefore has no handwritten signatures


                                                                                            10
</pre>
</pre>

Latest revision as of 12:01, 28 June 2022

Datatilsynet (Norway) - 20/03500
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.01.2022
Published: 24.01.2022
Fine: 2,000,000 NOK
Parties: The Norwegian Parliament (Stortinget)
National Case Number/Name: 20/03500
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fine the Parliament about €196,400 (NOK 2,000,000) for a data breach where perpetrators got access to employees' email accounts and health-related data, enabled by the lack of two-factor authentication and organizational measures.

English Summary

Facts

In the fall of 2020, the Norwegian Parliament (Stortinget) had a personal data breach related to employees' email accounts, discovered after an employee had been contacted by their bank about an attempt of misuse of their payment card abroad. The Parliament discovered that the perpetrators had downloaded various data, including personal data information about their bank accounts, birth dates and health-related data.

The Parliament had not enabled two-factor authentication in their email system, despite having identified the lack of such as a "high risk" in their risk analysis of March 2020. They had also identified a lack of security culture, low competency and little focus on data protection as very high risks.

When the DPA reviewed the risk analysis in May 2021, two-factor authentication was still not fully implemented. In their notification of a decision, the DPA noted that the Parliament's administration, represented by the Secretary General, was grossly negligent.

Holding

The DPA found that the Parliament, despite having identified several risks, lacked sufficient technical and organizational measures, including two-factor authentication, thus breaching Article 32(1)(b) GDPR and Article 32(1)(d), cf. Article 5(1)(f) GDPR.

For this, the DPA fined the Parliament about €196,400 (NOK 2 million).

Comment

Share comments here!

Further Resources

On 15 February 2022:the Norwegian DPA received a response from the Parliament (in Norwegian) with feedback on their decision.

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 THE PARLIAMENT
 PO Box 1700 Center
 0026 OSLO









Their reference Our reference Date
                        20 / 03500-10 04.03.2022



Decision on violation fee - Notification of deviation - The Storting

1 Introduction

The Data Inspectorate refers to the submitted notification of 6 September 2020 of a breach
personal data security, notification of infringement fee of 13 January 2022 and
The Storting's response of 14 February 2022.


We also refer to other correspondence and documentation that has been made available to us
which can be linked to the relevant notification of a breach of personal data security. It

the overall documentation forms the basis for the decision. It is the attack in 2020 that lies ahead
reason for the decision. The events of March 2021 are of a different nature, and will not matter
for this decision.


In the following, Multi Factor Authentication (MFA), two-factor authentication and strong
authentication means the same thing. In the following, these will be referred to under the collective term
«Two-factor authentication».


2. The Data Inspectorate's comments on the Storting's response
    The Norwegian Data Protection Authority has noticed that the Storting acknowledges that IT security could have been better then
    the attack occurred.


    Secondly, the Storting's administration points out that the follow-up of ROS 2020 must be seen in the light of
    that the Storting's administration in the spring of 2020 was strongly affected by the pandemic and
    the shutdown that hit the country in early March 2020, and the subsequent one

    holiday settlement. It is also pointed out that the representatives of the Storting and the employees in
    the party groups were not subject to instruction authority from the Storting's director, and that
    this made the further process time consuming.


    The Data Inspectorate cannot see that these are factors that have a significant effect on whether or not
    violation fee must be given and the amount of this.




Postal address: Office address: Telephone: Org.nr: Homepage:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, 3. Decision on infringement fine

    Based on the information in the case, the Data Inspectorate believes that the Storting has violated the rules on
    personal data security in the Privacy Ordinance:

    Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance

     Article 58 (2) (i), cf. Article 83, a violation fee of two shall be imposed on the Storting.
     million - 2,000,000 - kroner to the Treasury for not having carried out suitable technical
     and organizational measures, including two-factor authentication, to achieve a level of security
     which is suitable in terms of the risk of achieving lasting confidentiality, integrity
     and robustness, cf. Article 32 (1) (b) and (d) of the Privacy Regulation, cf. Article 5
     No. 1 letter f).


The background and reasons for the decision follow below.


4. The case

On 2 September 2020, the Storting was informed that it had been exposed to a data breach
(unauthorized login) linked to the email accounts of an unknown number of parliamentary representatives and
employees in the administration and the group secretariats. It was one of the employees who notified
the administration after the person in question had been contacted by his bank for an attempt
misuse of payment cards abroad.

Subsequent investigations revealed that attackers had downloaded different amounts of data and that

this data could contain personal data originating from the employees concerned
email account. It was in the deviation report to the Data Inspectorate and subsequent additional report
informed that this included bank and account information, incl.
personal information about third parties, birth number and health information.

Possible consequences for those affected by the attack could be abuse of identity, abuse of
payment cards and use of information for extortion.


The Storting's administration later became aware that personal information from 13 email accounts
could be lost. Those affected were informed and followed up to limit damage. People
which were mentioned in the emails of the affected (third parties) were notified.

As a result of the incident, the Storting implemented a number of risk-reducing and preventive measures
measures. Among other things, new password requirements were introduced, the scope of security logging became

expanded and mobile guidelines were updated. Work was also started on
introduce two-factor authentication. In addition, training measures were implemented by employees to increase
raising awareness of information security.

The Storting has close contact with relevant security authorities in this matter. The relationship is
reported to the police and PST is investigating the case.






                                                                                                  2.5. Relevant legal rules and guidance on two-factor authentication as a security measure
The discrepancies concern breaches of confidentiality, integrity and robustness. In the Privacy Ordinance
Article 32 states:

«Taking into account the technical development, the implementation costs and the nature of the treatment,
the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and
severity of the rights and freedoms of natural persons, the data controller and

the data processor implement appropriate technical and organizational measures to achieve a level of security
which is suitable in terms of risk, including, inter alia, as appropriate,
     a) pseudonymisation and encryption of personal data,
     b) ability to ensure lasting confidentiality, integrity, availability and robustness in
        treatment systems and services,
     c) ability to restore the availability and access to personal information in a timely manner if necessary

        a physical or technical event occurs,
     d) a process for regular testing, analysis and assessment of how effective the treatment is
        technical and organizational security measures are. "

Article 5 (1) (f) of the Privacy Ordinance states that personal data
«Shall be processed in a manner that ensures adequate security of personal data,
including protection against unauthorized or illegal treatment and against accidental loss, destruction or

damage, through the use of appropriate technical or organizational measures («integrity and
confidentiality »)».

Article 32 requires that a specific assessment of the risk to the physical be carried out
persons' rights and freedoms, compared with probability and severity.
The survey must be linked to the relevant business and their treatment of

personal information.

Furthermore, the provision requires that suitable technical and
organizational measures to achieve an appropriate level of information security related to closer
areas referred to in Article 32 (1) (a) to (d). This must be considered a duty to deal with
and reduce the risks identified in the survey through the introduction of measures. These can
either be technical measures in the form of physical security such as

authentication solutions, or organizational measures in the form of, for example, routines and
training of personnel.

In the Data Inspectorate's assessment of what must be considered suitable measures, a company's own
assessment of risk and necessary measures are given great weight.

The Storting's administration, as the person responsible for processing, undertakes to familiarize itself with it

regulations in the field of privacy, including the requirements for conducting risk assessments and
implement necessary measures to achieve a satisfactory level of safety. This follows
Article 5 (2) of the Privacy Regulation.

We assume that there may be alternative measures to ensure sufficient and effective
security level. The introduction of two-factor authentication is an example of security measures that are




                                                                                                  3, recognized as efficient and easily accessible. In this connection, we refer to both the Danish Data Protection Agency
and the National Security Authority (NSM) on their websites have published supplementary
information on why and when two-factor authentication should or should be introduced.

On NSM's website, clear recommendations have been given on the use of two - factor authentication
creation of i.a. email account. NSM also recommends requirements for unique passwords per service.


On the Data Inspectorate's website, we provide information on strong authentication as a security measure. It's called
here:

        Many services are based only on something you know in the form of a username and password.
        Very many also use the same password on several different services. Something that makes you
        who use even more prone to others logging in like you on various services.


        Often a service will make demands on the complexity of the password such as requirements
        minimum length, requirements for the use of numbers, lowercase and uppercase letters, and possibly
        special characters. This may reduce the ability to guess passwords, but users have one
        tend to use the same type of pattern. Summer 2017 is a type of password that many
        unfortunately user. It is also common for users to reuse the same password
        more services.


        If the password should go astray, it does not matter where
        strong / complex password is. Unfortunately, there are many ways a password can get in the way
        weighs on. For example, leaks from other places where the user uses the same
        passwords, malware on the PC of users who pick up usernames and passwords,
        "Man in the middle" attacks and phishing attacks.


        Therefore, two-factor authentication is a much more secure solution. When using such authentication
        the consequences of usernames and passwords going astray will be far less.

        In Norway, we have seen examples of both political parties and schools having experienced that someone
        has acquired unauthorized access to systems due to lack of strong authentication.

        The Norwegian Data Protection Authority may impose the use of strong authentication if we consider that it is

        necessary to ensure safety.

The Norwegian Data Protection Authority does not rule out that other measures may lead to a similar level of security as
two-factor authentication.

6. The Data Inspectorate's assessment of the Storting's solution for authentication of users

The Storting had not introduced a sufficient solution for two-factor authentication for all users
of their email systems at the time of the security breach in September 2020. In the latter
the version of the ROS analysis related to authentication that was completed in March 2020, was
lack of two-factor authentication identified as "high risk" for unauthorized access.






                                                                                                 4, The Storting's report of 8 December 2020 states that there is ongoing work to
introduce two-factor authentication for users on all solutions where technically possible, including
also email.

We have also noted that a lack of safety culture was identified as a "high risk" for
unauthorized access to the Storting's systems in the ROS analysis in 2020. In the ROS analysis
concluding summary, it appears that it is perceived as challenging that different

user groups are not subject to instruction authority from the Storting's administration.
Lack of security culture, low competence and little focus on privacy are considered as one
very high risk.

In our view, the description in the ROS analysis reveals vulnerabilities that could have been
compensated by organizational measures, as required by Article 32. Examples of such measures are
mapping of employees' knowledge of information security and privacy, and targeted

training of employees.

As organizational measures, guidelines and routines for the use of the company's email account
could be effective and necessary to reduce the risk posed by human factors.
These should be part of the management system for privacy and information security, which is
decided by the management of the business.


The Data Inspectorate takes a serious view of the fact that no technical measures have been implemented by the Storting
which could have prevented the violation, e.g. through the use of two-factor authentication.
Missing or deficient security measures increase the likelihood of security breaches.
The consequences can be very serious for the companies and their employees who are affected
events like this.

Attacks via employees' emails are considered a well-known and real attack vector by

data security breach. Access to email accounts is a known method of accessing additional
systems in a business.

Secure authentication is considered a simple and essential security measure to reduce the risk
for such attacks.


In this case, the intruders have gained access to a number of the Storting's e-mail accounts due to
lack of security measures. The Storting had previously carried out a risk assessment which
concluded that two-factor authentication should be introduced. However, this has taken
disproportionately long time.

When the Data Inspectorate's reading of the ROS analysis in May 2021, the introduction of
two-factor authentication completed. The Storting's lack of introduction of those security measures

which the Storting itself has considered necessary in this area, has made the service become
being less robust and vulnerable to attack. The Data Inspectorate believes it is clear that if
necessary technical and organizational security measures had been implemented in the past
time, the Storting's infrastructure would have been more robust, and the attack could have been
avoided.




                                                                                                5, Lack of introduction of appropriate measures to deal with an identified vulnerability, in this case
change of the authentication solution, in addition to deficient organizational measures, is considered to
constitute a breach of Article 32 (1) (b) and (d) of the Privacy Regulation. They mentioned
the provisions require the data controller to establish an appropriate level of safety
to ensure lasting confidentiality, integrity, availability and robustness of the services.


7. The Privacy Regulation's rules on infringement fines
The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public
authorities and bodies infringement fines under the rules of the Privacy Regulation Article
58, cf. Article 83 (1) and (2).


The right to impose infringement fines shall be a tool to ensure effective
compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as
punishment under Article 6 of the European Convention on Human Rights.

The Norwegian Data Protection Authority therefore assumes that a clear probability preponderance is required for
offense in order to impose a fee. The case and the question of imposing
infringement fees are assessed on the basis of this evidentiary requirement.


In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.
By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual
decision, which is considered a punishment under the European Convention on Human Rights
(EMF).


It is directly stated in the wording of the Penal Code § 27 that there is an objective criminal liability for
enterprises. In a judgment of 5 April 2021 (HR-2021-797-A), the Supreme Court has ruled that objectively
liability for corporate punishment is not compatible with the concept of punishment in the European
Convention on Human Rights, as interpreted by the European Court of Human Rights.

In a letter dated 2 June 2021, the Ministry of Local Government and Modernization has sent to the Ministry of Justice and

the Ministry of Emergency Management's briefing of 12 May 2021 on the significance of this
the Supreme Court ruling for administrative sanctions. The Ministry of Justice and Emergency Preparedness states
following:

        «Pending the report on corporate penalties and any proposals for legislative amendments,
        we recommend that the ministries inform their underlying agencies about the Supreme Court

        decision, and that this for the time being is also used as a basis for imposing
        infringement charge against companies. This means that by the imposition of
        infringement fines against companies are required that the person who has acted on behalf of
        the company has shown general negligence. "

Article 83 provides in principle that the imposition of an infringement fine depends on a
discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting

moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure



                                                                                                6, that the imposition of infringement fines in each individual case is effective, is in a reasonable
relation to the violation and acts as a deterrent.

8. The Data Inspectorate's assessment of whether an infringement fee should be imposed
In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following
moments:


a) the nature, severity and duration of the infringement, taking into account
    the nature, extent or purpose of the action concerned and the number of data subjects affected,
    and the extent of the damage they have suffered

Violations of personal data security include breaches of confidentiality, integrity and
robustness. In this case, it must be concretely assumed that the elected representatives and the employees know
The Storting has a clear and worthy of protection interest in having information about them processed
in a safe way.

Unauthorized access to the Storting's systems can have serious consequences for the individual and
for other people's personal information that the mailboxes potentially contain. The event may have

entails that the environment has access to information that the registered person (s) have not themselves chosen to
make known, and it is unknown to what extent this information may have been disseminated.

The breach of personal data security has meant that the representatives have lost control
over the personal information contained in their email accounts. As a consequence of
Inadequate security measures, there will be a probability that the elected representatives may be exposed
for blackmail. The incident can also lead to unreliable information from fraudulent actors being sent

based on the elected representatives' email accounts.

We would also like to emphasize that we consider that this breach may have entailed a potential risk of greater
attacks on the Storting as an institution, with the email system as the attack vector.

General preventive reasons and the consideration that the rules should have effect and work as intended

then speaks with force for a strict reaction, and for the imposition of an infringement fine.

a) whether the violation was committed intentionally or negligently
The case shows that there has been a failure in the Storting's administration to take care of
the principle of liability that follows from the Privacy Ordinance, Article 5, no. 2. The Norwegian Data Protection Authority

finds that the Storting's administration, through the Storting's director, has acted with gross negligence, cf.
HR-2021-797-A, cf. also the Privacy Ordinance Article 5 No. 2, for not having implemented
a solution for two-factor authentication when creating an email account for the elected representatives. The effect
of secure authentication as a measure must be considered to be well known, compared with that of the Storting
even had identified the high risk the lack of such a measure posed. Furthermore, we find
it is reprehensible that the Storting did not follow up on the known vulnerability either
organizational measures that to a certain extent could have remedied the technical deficiencies.


b) any measures taken by the data controller or data processor to
    limit the damage suffered by the data subjects




                                                                                                 7, After the attack, new password requirements were introduced, extended scope of
security logging, updated mobile device policies and started work on
introduction of two-factor authentication. In addition, training measures were implemented by employees to
raise awareness of information security.

(c) the degree of responsibility of the controller or processor, taking into account
    to the technical and organizational measures they have implemented in accordance with Article 25 and

    32
The Storting's administration took a significant risk as it did not create email accounts
two-factor authentication was introduced; and has a responsibility that this was not done. That this was not
done at the time of the second attack is an aggravating circumstance.


d) any relevant previous violations committed by the data controller or
    the data processor
There are no previous violations from the Storting's administration.


e) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
    possible negative effects of it
There has been no cooperation between the Norwegian Data Protection Authority and the Storting's administration to remedy
on the damage.


f) the categories of personal data affected by the infringement
Subsequent investigations revealed that the attackers had downloaded various amounts of data, including
this included bank and account information, birth number, health information and
personal information about third parties. This is stated in the submitted notification of 6 September 2020.

It is an aggravating circumstance that health information has gone astray.

g) the manner in which the supervisory authority became aware of the infringement, in particular whether and
    possibly to what extent the data controller or data processor has
    notified of the infringement

The Storting notified the Norwegian Data Protection Authority of the breach of personal data security by notifying 6.
September 2020. The Storting has further answered our requests for further information,
as well as facilitated to give the Data Inspectorate access to relevant documentation in connection with our
investigation of the case.

(h) if the measures referred to in Article 58 (2) have previously been taken against the person concerned

    data controller or data processor with respect to the same subject matter, that
    the said measures are complied with
No measures have been taken before the Storting with regard to the same subject matter.

(i) compliance with approved standards of conduct in accordance with Article 40 or approved

    certification mechanisms in accordance with Article 42
This is not relevant to the case.





                                                                                               8, j) any other aggravating or mitigating factor in the case, e.g. economic benefits
    which have been obtained, or losses which have been avoided, directly or indirectly, as a result of
    the infringement
The Norwegian Data Protection Authority assumes that the Storting must be regarded as an attractive target for computer attacks, and that
based on a risk assessment, a significantly stricter safety regime should have been added

superficial. The ROS analysis describes various measures in the summary section, among others
compulsory training in information security and documentation of completed training,
as well as clarification of sanction options for own employees and agreements with party groups
to be able to impose the same sanctions there.

In an aggravating direction, it is assumed that a solution with two-factor authentication was not
implemented in the solution, despite the fact that this must be considered a known and effective

safety measures. The Storting had itself identified a lack of authentication as a vulnerability.


9. Overall assessment
In the Data Inspectorate's assessment, the matter is important in principle. The Data Inspectorate considers it difficult

serious that the Storting's administration has shown an inability to implement necessary
security measures that the administration itself has identified the need for in the mapping of
the risk of processing personal data. We emphasize that the Privacy Regulation
requires that the results of such surveys be followed up with appropriate measures, and that
is precisely this which is the purpose of conducting risk assessments, cf.
the Privacy Ordinance Article 32 No. 1 letter b. The incident that triggered the message to
The Norwegian Data Protection Authority and which forms the basis for the decision, could and should have been avoided if

The Storting had implemented measures to remedy the vulnerabilities that were made known through
the risk assessment.

We assume that the Storting's administration has a vested interest in establishing the Storting
computer systems in line with recommendations from national professional authorities. It's the administration
who is responsible for the operation of these systems, and the responsibility for implementing them

the safety measures necessary to make the systems robust, in accordance with the law
requirements, cf. the Privacy Ordinance Article 5 No. 2, cf. Article 5 No. 1 letter f, cf. also Article
32 No. 1 letter b.

Following an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that the Storting should be given one
infringement fine.


10. The size of the fee
In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that

        «As a starting point, the same rules for infringement fines shall apply
        public bodies as for private, as this is the scheme under current

        Personal Data Act. »






                                                                                                9, With regard to the amount of the fee, the same factors as when assessing whether the fee
shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond
the specific case, at the same time as the size of the fee must be in a reasonable proportion to
the violation and the activity, cf. art. 83 No. 1.

After an overall assessment of the circumstances of the case, and in particular with regard to the seriousness of
the infringement and the legislation's requirement that the imposition of infringement fines in each individual case

should be effective, proportionate and dissuasive, we have come to that one
violation fee of two million - 2,000,000 - kroner is considered correct.

11. Complaint
You can appeal the decision. Any complaint must be sent to us by Monday 15 August
2022. If we uphold our decision, we will send the case to the Privacy Board for
complaint processing, cf. the Personal Data Act § 22.


12. Transparency and publicity
You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform

that all documents are in principle public, cf. the Public Access to Information Act § 3, but
emphasizes at the same time that security documentation is as a general rule exempt from public access, cf.
the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.

If you have any questions, you can contact caseworker Knut B. Kaspersen.




With best regards


Janne Stang Dahl
acting director
                                                                  Knut Brede Kaspersen

                                                                  legal director

The document is electronically approved and therefore has no handwritten signatures