Personvernnemnda (Norway) - 2022-13 (21/00481)

From GDPRhub
Personvernnemnda (Norway) - 2022-13 (21/00481)
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 24 GDPR
Article 32 GDPR
Article 58(2)(d) GDPR
Article 58(2)(i) GDPR
Article 83 GDPR
Personal Data Act § 26(1)
Decided: 24.01.2023
Published: 08.02.2023
Parties: Østre Toten municipality
National Case Number/Name: 2022-13 (21/00481)
European Case Law Identifier:
Appeal from: Datatilsynet (Norway)
21/00481
Appeal to:
Original Language(s): Norwegian
Original Source: Personvernnemnda (Privacy Appeals Board) (in Norwegian) (in Norwegian)
Initial Contributor: Rie Aleksandra Walle

The Norwegian Privacy Appeals Board upheld the DPA's decision to fine a municipality €352,555 for violating Article 5(1)(f), Article 24 and Article 32 GDPR after a serious ransomware attack led to highly sensitive personal data being irreparably lost and sold on the dark web.

English Summary

Facts

This case is an appeal of a decision in which the DPA fined a municipality (the controller) about €352,555 (NOK 4,000,000) for violating Article 5(1)(f) GDPR, Article 24 GDPR and Article 32 GDPR after a serious ransomware attack led to highly sensitive personal data being irreparably lost and sold on the dark web.

The controller disagreed with the DPA on the part of the decision pertaining to the fine and asked them to reconsider their position. After the DPA had reviewed the case again, they found no grounds to change their decision and so, as per Norwegian procedures, referred the case to the Privacy Appeals Board.

In their comments to the Privacy Appeals Board, the controller argued that the grounds for an administrative fine were non-existent. They also held that they had implemented sufficient technical and organisational measures available to them as per their internal resources and in line with Article 24 GDPR and Article 32 GDPR.

Holding

The Privacy Appeals Board reviewed the case, both parties' arguments, grounds for imposing an administrative fine as per the GDPR, as well as the objective and subjective grounds for assessing if personal data breaches took place.

After assessing the controller's personal data practices, the Privacy Appeals Board held that they agreed with the DPA in that the various deficiencies represented fundamental shortcomings in the controller's information security, resulting in violations of Article 24 GDPR and Article 32 GDPR.

When assessing the subjective grounds, however, the Privacy Appeals Board noted that the DPA had taken an incorrect legal standpoint and interpreted the legality inaccurately. They disagreed with the DPA's interpretation that the Chief Municipal Executive was objectively responsible for the personal data breaches, regardless of him acting negligent. In the Privacy Appeals Board's view, the insufficient IT security must be sees against a lack of focus over time, long before the Chief Municipal Executive was employed only about half a year before the personal data breaches. The Privacy Appeals Board thus assessed if one or more employees responsible for IT security in the municipality had acted negligent and found that this was indeed the case. Consequently, they held that also the subjective grounds imposing a fine were present.

Finally, the Privacy Appeals Board agreed with the DPA's assessment regarding the grounds for, and level of, an administrative fine, thus rejecting the controller's appeal and upholding the DPA's decision to impose a fine of €352,555 (NOK 4,000,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Privacy Board's decision on 24 January 2023 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Heidi Talsethagen, Hans Marius Tessem, Morten Goodwin, Malin Tønseth)
Background of the case
Østre Toten municipality discovered on the night of 9 January 2021 that they were exposed to an extensive ransom virus attack on their IT systems. The attack was discovered when the municipality's employees no longer had access to the municipality's IT systems.
A threat actor had obtained unlawful access to the municipality's IT systems. The entire municipal service delivery, with few exceptions, was affected in the attack. As part of the attack, the municipality's data was encrypted and made inaccessible to the municipality's employees and residents. The same applied to the backups. The threat actor, who sat on the encryption key, left ransom notes in several locations in the system. The threat actor most likely had administrator access to all computers at the municipality.
Personal information about the municipality's residents was stolen during the attack. Significant amounts of data, including e-mails and approx. 30,000 documents went astray. This includes information about children and special categories of information covered by Article 9 No. 1, including patient record information. An unknown number of documents were published on the dark web. The dark web is a part of the Internet where information is made available to everyone, while at the same time it is not possible to track either who posts or downloads the information.
The attack meant that the municipality's employees and residents no longer had access to most of the municipality's IT systems. The NSM's report "National digital risk picture 2021" shows, among other things, that children's and young people's records at the health center were inaccessible, and that the computer attack led to the municipality's lack of functioning IT systems for several months. Manual systems had to be established, among other things the alarm system at nursing homes was replaced with bells, and the locking system on the municipality's buildings did not work.
The municipal director notified the Norwegian Data Protection Authority on 11 January 2021 and sent a notice of non-conformity on 13 January 2021, as well as an addendum to the notice of non-conformity on 31 March 2021. The municipality had close contact with the security authorities and the police, and gave the Norwegian Authority status updates during the investigative work. Both the IT company Atea IRT and the auditing and consulting company KPMG were involved in the work to handle the incident.
At the Data Protection Authority's request, the municipality explained the deviation on 2 June 2021.
The Norwegian Data Protection Authority notified Østre Toten municipality on 18 October 2021 that the Norwegian Data Protection Authority would make the following decision:
"In accordance with the personal data protection regulation article 58 no. 2 letter i, cf. the Personal Data Act § 26 and the Patient Records Act § 29, Østre Toten municipality imposes an infringement fee of NOK 4,000,000 - four million Norwegian kroner - to the treasury, for breaching the requirements for security and internal control when processing personal data, cf. the Personal Data Protection Ordinance article 32 and article 24, cf. the Personal Data Act section 26 first paragraph. Among other things, the municipality has lacked two-factor authentication when logging in, adequately secured backup systems and logging of important events in its network.
Østre Toten municipality is required to establish and document that a suitable management system for information security and personal data security has been implemented, cf. the Personal Protection Regulation article 58 no. 2 letter d. As part of this work, the municipality is required to carry out risk and vulnerability analyzes for all central systems/solutions in the infrastructure, with the aim of identifying the need for risk-reducing measures. The analyzes must be documented in the management system."
The municipality gave its comments on the notice on 8 November 2021.
On 7 January 2022, the Norwegian Data Protection Authority made a decision on infringement fees and orders in line with the notice sent out.
The municipality lodged a timely complaint against the Norwegian Data Protection Authority's decision on 26 January 2022. The complaint only concerned the infringement fee and not the order to establish and document a suitable management system for information security and personal data security. The Norwegian Data Protection Authority considered the complaint, but found no reason to change its decision. The Norwegian Data Protection Authority forwarded the case to the Personal Data Protection Board on 22 June 2022. In a letter from the board on 27 June 2022, the municipality was given the opportunity to make comments. The municipality has not submitted any comments.
The matter was dealt with in the board's meetings on 8 November 2022, 13 December 2022 and 24 January 2023. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Hans Marius Graasvold, Heidi Talsethagen, Hans Marius Tessem, Morten Goodwin and Malin Tønseth. Secretariat manager Anette Klem Funderud was also present.
The Norwegian Data Protection Authority's decision in brief
The Norwegian Data Protection Authority initially provides a description of the security breach and subsequent measures, as well as the basic principles for processing personal data and the requirements for personal data security and management systems in the Personal Data Protection Regulation. The inspectorate also explains its authority to impose an infringement fee, before explaining its assessment related to the infringement fee and whether an order should be issued. In what follows, only the Norwegian Data Protection Authority's assessment relating to the infringement fee, which is what is complained of, is reproduced.
Assessment of the security breach
The Norwegian Data Protection Authority points out major shortcomings in the municipality's personal data security. The shortcomings relate to both log and log analysis, securing backups and lack of two-factor authentication or similar security measures. This shows a weakness both in the municipality's ability to identify hacker attacks and insufficient information security in the system and constitutes in itself a breach of the requirements for personal data security in Article 32 of the Personal Data Protection Regulation, cf. Article 24.
The attack is particularly serious because it has affected a significant part of the municipality's data. Personal information about the municipality's residents and employees has been completely lost through the data attack in question and information has been shared on the dark web to an unknown extent.
The fact that backup systems had been deleted was a significant negative factor in the work to restore operation (availability) of the systems that were affected. That the municipality did not protect its backup copies against intentional and unintentional deletion, manipulation and reading was a significant deficiency in the municipality's management system for information and personal data security.
Both the configuration of firewalls (inadequate logging) and the network topography (inadequate segmentation of the network) represent fundamental weaknesses in the municipality's information security which lead to a breach of the Personal Data Protection Regulation Article 32, cf. Article 24. As a result of inadequate information security measures, combined with management's and employees' lack of awareness of possible security threats and data attacks, the municipality has breached the basic principle of the duty to safeguard the confidentiality and integrity of information, cf. the personal protection regulation article 5 no. 1 letter f.
Assessment of whether an infringement fee should be imposed
The Norwegian Data Protection Authority goes through the points that the Norwegian Data Protection Authority considers relevant for the assessment of whether an infringement fee should be imposed and concludes that Østre Toten municipality should be imposed an infringement fee for the infringement of the personal protection regulation article 32, cf. 24, and article 5 no. 1 letter f.
The inspectorate takes the discrepancy seriously as control over significant amounts of data in the municipality has been lost. This includes special categories of personal data and information about children, which according to the data protection regulations have special protection. Personal information is shared on the dark web, which makes it impossible to see the consequences of the deviation.
The Norwegian Data Protection Authority concludes that the municipality has had fundamental deficiencies in personal data and information security and internal control work.
Assessment of the fee
In assessing the amount of the fee, the supervisory authority has ensured that the reason why the data attack could take place was due to fundamental deficiencies in the municipality's personal data and information security system. The municipality had not established or carried out internal control in a way that was suitable for detecting these security gaps. The inspectorate considers this to be very serious.
The data attack has meant that a significant part of the municipality's data has been compromised and lost for the future. The attack has also led to the spread of personal data, some of which is highly protective, on the dark web. This can be serious for the individual registered, but also has extensive consequences for the municipality's ongoing operations. These are considered aggravating factors.
The case illustrates how serious the consequences of a computer attack can be and how important it is therefore to have a robust infrastructure and adequate protection against attacks from outside. According to information in the media, the data attack has so far cost the municipality over NOK 32 million. The Authority is aware that there is an enormous financial burden for a municipality with barely 15,000 inhabitants. The municipality's financial situation is a factor that is important when calculating the fee, cf. the Personal Protection Regulation article 83 no. 2 letter k and is taken into account in the inspectorate's assessment. The same is true of the fact that the municipality itself reported the deviation to the Norwegian Data Protection Authority and that the municipality has been very cooperative afterwards. It has also been taken into account that the municipality has done its utmost to provide good information to the residents.
The Norwegian Data Protection Authority has concluded that an infringement fee of NOK 4,000,000 is reasonable in this case. In the authority's assessment, the amount reflects both the seriousness of the offence, the municipality's financial situation after the attack and the municipality's extensive work afterwards. Without these conditions, the fee would have been set significantly higher.
About the fault claim - negligence
The Norwegian Data Protection Authority writes in the transmission letter for the complaint to the Personal Data Protection Board that the reasoning for the claim of guilt could have been better in the decision. In the despatch letter, this point is therefore elaborated on and the main features are reproduced here:
It is clearly overwhelmingly likely that the director of the municipality, as the highest representative of the municipality's management, has acted negligently. Compliance with the requirements of the privacy regulations is the senior manager's responsibility at all times. The municipal director, as the most responsible person in the municipality, is therefore responsible for ensuring that the municipality has sufficiently good information and personal data security at all times.
The Norwegian Data Protection Authority assumes that personal data and information security in Østre Toten municipality was very deficient when the data attack occurred. Factors such as log/log analysis, securing backups and two-factor authentication or similar security measures are fundamental prerequisites for a functioning and adequate information and personal data security. In the inspectorate's view, security in Østre Toten municipality was so inadequate that the area could not have been followed up well enough by the top manager.
The municipality has carried out internal reviews, but these have not contributed to uncovering fundamental security deficiencies. That in itself is serious. The Danish Data Protection Authority therefore believes that the case shows that there has clearly been a negligent failure on the part of the management in Østre Toten municipality in terms of safeguarding basic requirements for personal data security, cf. the data protection regulation article 5 no. 1 letter f, cf. articles 24 and 32.
The municipal director must, as the top leader, be responsible for this failure. The Norwegian Data Protection Authority therefore believes that the municipal director in Østre Toten municipality has clearly acted negligently.
Østre Toten municipality's view on the matter in general
In general, the requirements for securing personal data
The attack that Østre Toten municipality was exposed to is something that is difficult to protect against completely. Having measures that protect against similar incidents to which Østre Toten municipality was exposed places extensive demands on information systems, which in most cases will not be feasible and within the technical possibilities and cost frameworks that most businesses have.
Østre Toten municipality has implemented measures as far as possible within the limits of a municipality. In a municipality, measures and cost use must be prioritised, and prioritizing certain areas will necessarily mean that other, and perhaps more important areas for e.g. life and health, are given lower priority. In such cases, the municipality must view its entire operation as a whole in terms of use of costs, and it is also something that Articles 24 and 32 of the Personal Data Protection Regulation provide for. The action of the municipality cannot therefore be considered to be negligent, which is a requirement for the imposition of an infringement fee.
The Norwegian Data Protection Authority sets as a basis a too high threshold for the requirements for information security and sets too strict requirements for how personal data is to be secured, which goes beyond the intention of the Personal Data Protection Regulation's requirements for security when processing according to, among other things article 32. The requirements are not realistic or feasible if full security is to be achieved, and in this case it is doubtful whether security measures would have prevented the data attack.
Log and log analysis
The lack of a network log would not have prevented the attack, but had an impact on the extent of data that had been extracted and where the extracted data was from in the municipalities' systems. The logs were important for the subsequent assessment of the extent of the incident, but would not have been able to reduce the effects of the incident.
It is therefore not correct that conditions related to logging and log analysis should justify an infringement fee.
Security of backup
It is not correct that the municipality "has, among other things, lacked effective ... sufficiently secured backup systems" as the Norwegian Data Protection Authority suggests. The backup systems were deployed as a result of the data attack. The systems were adequate before the attack.
It is also not correct that "the Municipality lacked protection of backup copies against intentional and unintentional deletion, manipulation and reading". The protection was present, but did not withstand the data attack. The ability to protect systems against this type of attack is limited.
Lack of two-factor authentication or equivalent security measures
The municipality disagrees with the inspectorate that the municipality lacked effective security measures when logging in. The municipality had measures to prevent unauthorized login. Although the Norwegian Data Protection Authority and NSM recommend two-factor authentication, it is not a requirement according to the regulation, and would probably not prevent this attack either. A risk analysis could show that two-factor authentication is a measure that can reduce the risk, but it is not clear whether it would be sufficient to ward off this attack.
Lack of awareness related to security threats and data attacks
It is not correct that the management and employees of the municipality have had a lack of awareness of possible security threats and computer attacks. The municipality conducted an independent review of ICT security in the municipality prior to the attack.
On the initiative of the municipal director, a review of the Compilo quality system was carried out in autumn 2020. The review showed that responsibilities had been assigned and there were defined reporting lines. Among other things, there was a routine for annual reporting on ICT security. The municipal director's assessment was that the municipality had a good internal control system that also included ICT and privacy security. The review also showed that there was room for improvement which the municipality would continue to work on. KPMG states in its report on 26 August 2021 that there was no indication that the municipality was worse off than other municipalities, and that the situation in comparable municipalities is probably at roughly the same level.
IT security was and is an ongoing area of high priority at the municipality, but it is doubtful that any measures would have countered the data attacks given the attack vector that exploited human factors.
The amount of the infringement fee
Østre Toten municipality acknowledges that there could have been additional security measures in place to reduce the risk of the threat actor gaining access to the systems, but the requirements set by the Norwegian Data Protection Authority to prevent this attack are too strict. The municipality has implemented the technical and organizational measures that can be expected of a municipality within the requirements of articles 24 and 32.
When it comes to an infringement fee having a deterrent effect, Østre Toten municipality has had an extensive task of dealing with the consequences of the attack. This in itself will be a deterrent for other businesses and an invitation to assess their security measures. However, Østre Toten municipality believes that the security and the measures that were in place at the time of the attack were sufficient within the requirements of the Personal Data Protection Ordinance, and further measures would probably not have prevented the data attack. Neither the basis on which the decision is based from the Norwegian Data Protection Authority nor the requirements under Articles 24 and 32 of the Personal Protection Ordinance are available. Consequently, an infringement fee cannot be imposed.
The size of the fee is also not in relation to other comparable cases. Recently, the Storting was imposed a fee of NOK 2,000,000. In this case, it was found that there was gross negligence, in contrast to Østre Toten municipality, which was considered to have acted negligently. The various fees for Østre Toten municipality and the Storting are, in the municipality's opinion, a breach of the requirement for equal treatment.
The municipality is of the opinion that the fee that has been imposed is disproportionately assessed against the measures that the municipality had implemented, could implement and against the size of the fee in comparable cases.
If there is negligence
According to HR-2021-797-A, it is not sufficient that there is ordinary negligence in the case of corporate penalties. There must be subjective guilt, and then from the person who is responsible for the relationship in the business. Infringement fees are also considered a penalty, cf. Rt-2012-1556. As a result of this, a clear preponderance of probability for an offense is required in order to be able to impose a fee.
The Norwegian Data Protection Authority has assumed that Østre Toten municipality, represented by the municipal director as chief executive, has acted negligently by not ensuring adequate personal data security and internal control in the municipality. As follows from the above judgment, there must be negligence on the part of the municipal director, i.e. the fault must lie with the person - punishment cannot be imposed on a purely objective basis by relying on anonymous and cumulative errors - where there must be a connection between the person responsible ( the municipal director) and the conditions that give rise to the penalty (the infringement fee). The Norwegian Data Protection Authority has not demonstrated that such negligence exists, and the decision does not deal with the matter.
If Østre Toten municipality is considered to have breached the Personal Information Act, then the municipality will not be liable to punishment in any case since it has not been proven with a clear preponderance of probability that the director of the municipality has acted negligently.
The decision is also not sufficiently justified, cf. section 25 of the Public Administration Act, in that the fact that the director of the municipality should be negligent is not justified.
The Norwegian Privacy Board's assessment
The question for the tribunal is whether Østre Toten municipality has breached the data protection regulation by not having implemented suitable technical and organizational measures to achieve a level of security that is suitable with regard to the risk, cf. the data protection regulation article 32 and article 24. If there is a breach of the data protection regulation, the tribunal must decide whether an infringement fee should be imposed in accordance with Article 83, and if so, with what amount.
According to case law, there is a requirement for a clear preponderance of probability in order to impose sanctions that have the character of punishment according to Article 6 of the European Convention on Human Rights (ECHR), cf. Rt-2008-1409 and Rt-2012-1556. This means that the imposition of an infringement fee according to Section 26 of the Personal Information Act requires a clear preponderance of probability when assessing the evidence, both in terms of objective and subjective conditions.
Conditions for imposing an infringement fee
According to Section 26 of the Personal Data Act, the Norwegian Data Protection Authority can impose an infringement fee on a data controller, including public authorities, in accordance with Article 83 of the Personal Data Protection Regulation. The general conditions for imposing an infringement fee follow from Article 83.
The wording of Article 83 does not give a clear answer as to which demands are made for guilt. In legal literature, for example in Skullerud et al., Personal Protection Ordinance, Lovkommentar, (per 1 May 2022, juridika.no), it is assumed in chapter VIII, on article 83 no. 2, that it is "not a conditions for the imposition of an infringement fee that there is guilt on the part of the infringer or someone who has acted on his behalf." The tribunal is aware that the interpretation of Article 83 and the requirement of culpability for the imposition of an infringement fee for undertakings is under consideration in the EU Court of Justice, case C-807/21 Deutsche Wohnen SE.
In HR-2021-797-A, section 23, the Supreme Court has stated that it is not compatible with Article 6 No. 2 and Article 7 of the ECHR to punish an enterprise if no one has proven guilty. The Supreme Court refers to recent practice from the European Court of Human Rights (ECHR) where a "mental link" is required between the act and the actual circumstances that establish criminal liability, cf. in particular the ECHR's Grand Chamber judgment of 28 June 2018 G.I.E.M. S.r.l. with others against Italy (EMD-2006-1828) and the ECtHR's judgment of 20 January 2009 Sud Fondi S.r.l. with several against Italy (EMD-2001-75909).
As a result of this legal development, and that infringement fees are considered to have the nature of a penalty, cf. Rt-2012-1556, Section 46 of the Public Administration Act was amended in 2022 so that a requirement of negligence is now established when imposing an infringement fee for businesses and public authorities , unless otherwise specified. Public authorities cannot claim protection under the ECHR, but the ministry has nevertheless chosen to equate the liability requirement for public authorities and enterprises, cf. the Public Administration Act section 46, first paragraph, last sentence. In a situation where there is no interpretative opinion from the EU court on what requirements are set under Article 83 in terms of guilt, the tribunal assumes that "nothing else is specified" in the personal data protection regulation. This means that also for the question of imposing an infringement fee on public authorities, a requirement of negligence according to Section 46 of the Public Administration Act applies.
In what follows, the tribunal will first decide whether there are objective breaches of personal data security. The tribunal will then assess the subjective conditions. The detailed conditions for establishing subjective guilt on the part of an enterprise (here a municipality) are also dealt with below.
If there is a breach of personal data security - objective conditions
The Personal Data Protection Regulation imposes a number of requirements on the data controller in terms of the duty to safeguard the information security of the personal data that is processed. Article 32 no. 1 of the Personal Data Protection Regulation reads:
"Taking into account the technical development, implementation costs and the nature, scope, purpose and context of the processing, as well as the risks of varying degrees of probability and severity for the rights and freedoms of natural persons, the data controller and the data processor shall implement suitable technical and organizational measures to achieve a level of security that is appropriate in relation to the risk, including, among other things, as appropriate,
a) pseudonymisation and encryption of personal data,
b) ability to ensure continued confidentiality, integrity, availability and robustness of the processing systems and services,
c) ability to restore availability and access to personal data in a timely manner if a physical or technical incident occurs,
d) a process for regular testing, analysis and assessment of how effective the processing's technical and organizational security measures are."
There is no doubt that the ransomware attack objectively led to a breach of confidentiality (personal data was stolen, leaked and published on the dark web), as well as a breach of accessibility when a large amount of personal data was made unavailable to the municipality's employees and residents for a long time. The municipality lacked functioning IT systems for several months, which shows that the system was vulnerable and lacked robustness.
The scope of the security breach was serious. A significant part of the municipality's data was affected. A large amount of personal data is completely lost and information is shared on the dark web to an unknown extent. This also applies to personal information about children and it includes special categories of personal information, cf. Article 9, including patient record information.
The municipality had few suitable measures in place to be able to detect vulnerabilities, prevent unwanted incidents and limit the damaging effects. This includes adequate logging, configuring a firewall, segmenting the network, proper access control, secured backup solutions or other security measures. Such security measures would make it significantly more difficult for the threat actor to gain access to the municipality's IT system. The tribunal agrees with the municipality that two-factor authentication is not an absolute requirement to achieve sufficient information security, but the absence of such a solution must possibly be compensated with other suitable security measures.
The task of restoring operation (availability) of the affected systems was significantly hampered by the fact that the backup copies had been deleted. Failure to secure backup copies against both targeted and accidental deletion, manipulation and reading represents, in the tribunal's assessment, a critical deficiency. Secure access to firewall and system logs would likely help uncover the attack method and contribute to faster system recovery.
The tribunal agrees with the Norwegian Data Protection Authority that the various deficiencies in the municipality's systems for information security represent fundamental weaknesses in the municipalities' information security which means that Article 32, cf. Article 24 of the Personal Data Protection Regulation has objectively been breached.
If there is a breach of personal data security - subjective conditions
When an infringement fee is imposed on an enterprise, a requirement is made that the person or persons who have acted on behalf of the enterprise have shown general negligence, cf. Section 46 of the Norwegian Administration Act and the Personal Protection Board's comments above.
During the preparation of the appeal case and in the letter of transmission to the tribunal, the Norwegian Data Protection Authority has concluded that it is overwhelmingly likely that the director of the municipality has acted negligently. The tribunal does not agree with the authority's assessment of negligence and believes that the Norwegian Data Protection Authority has also taken an incorrect legal starting point when the authority writes: "The director of the municipality, as the most responsible person in the municipality, therefore bears responsibility for ensuring that the municipality has sufficiently good information and personal data security at all times". In the tribunal's assessment, the statement expresses that the municipal director is objectively responsible for breaches of information and personal data security, regardless of whether he has acted negligently or not. That is not the correct understanding of the law.
In the tribunal's view, the lack of information security must be explained on the basis of a lack of focus on information security over time, long before the director of the municipality took up his position, barely six months before the security breach occurred. A lack of focus and attention to information security, and perhaps also a lack of competence on the part of those who have been responsible for the various systems, has resulted in vulnerable systems that have not been equipped for the type of hacker attack that the municipality was exposed to. It is not possible to place this responsibility on one person based on the information available in the case. Nor is it likely that the failure to uncover and clean up this during the autumn of 2020 is due to negligence on the part of the director of the municipality.
However, the tribunal assumes that, according to case law, there is no requirement that the blame be individualised. Both anonymous and cumulative errors can constitute a basis for liability when imposing corporate penalties, cf. HR-2022-1271-A, sections 46-50, where the Supreme Court comments on the ECtHR grand chamber judgment of 28 June 2018 (G.I.E.M. S.r.l. et al. v. Italy (EMD-2006- 1828)):
"The ECtHR does not state anything expressly in the judgment that liability cannot be based on cumulative and/or anonymous mistakes. Nor, in my opinion, can the judgment be understood as requiring any requirement for individualization when assessing guilt and criminal liability.
As I see it, this already follows from the fact that the requirement for subjective guilt also in the case of corporate punishment means that one or more persons who have acted on behalf of the company must have acted negligently. It is therefore not a matter of purely objective responsibility. Furthermore, it is the company, and not any natural person, that may be subject to penalties. If one or more people on behalf of the company, as here, have acted negligently, it is then difficult to see any reason to demand that it can be demonstrated which individuals the blame is attached to.
The guarantees of legal certainty for the accused on which the ECtHR's practice is based are safeguarded where there are anonymous and cumulative errors. Even in the case of such mistakes, it will be possible to counter an accusation that someone who has acted on behalf of the company has acted negligently. Furthermore, liability cannot be asserted in the event of force majeure or accidental accidents. Should it appear unreasonable in the individual case to impose corporate penalties, it is in any case up to the courts to acquit the accused company in accordance with section 28 of the Criminal Code.
By accepting anonymous and cumulative errors, one avoids that demands for individualization of guilt reduce the effectiveness of corporate punishment, which in our country plays an important role in the enforcement of regulations that apply to public and private business. It also avoids that two or more companies that have shown the same type of punishable behavior are treated differently depending on whether it can be brought to light which persons have caused the circumstances in question.
On this basis, I cannot see that it would be contrary to the ECHR to impose corporate penalties for anonymous and cumulative errors."
The question for the tribunal is therefore whether one or more persons in the municipality responsible for security have acted negligently when information security was as it was when the municipality was exposed to the ransomware virus attack.
When assessing where the standard of care for information security work in the municipality should lie, to some extent the municipality's framework in terms of finances, personnel and expertise must be considered. It also means that in the due diligence assessment, an overall assessment must be made of the preventive security work, risk management and implemented security measures.
The tribunal believes, like the Norwegian Data Protection Authority, that the municipality has to a small extent worked systematically and structured with ICT security. Sufficient risk assessments have not been carried out which could have uncovered missing measures and which could have reduced the consequences of attacks. Ransom virus attacks have long been a known security threat and several reports from information security authorities such as NSM and NorSIS indicate that this is a growing threat. In the tribunal's view, this requires regular risk assessments, which has not been done here.
With the knowledge and attention that has been in society about the risk of hacker attacks of this type, the tribunal considers that one or more people in the municipality have acted negligently when the necessary security measures have not been implemented. Lack of risk assessments has resulted in few measures to detect vulnerabilities and unwanted incidents. This has again resulted in systems that are too poor to ensure recovery after such an attack and made the system vulnerable. There is also a causal connection between these omissions and the breach of security which affected the municipality.
The tribunal finds it clearly probable that there are one or more people in the municipality with responsibility for security who have acted negligently when security was not better taken care of than it was in this case.
After this, the subjective conditions for imposing an infringement fee are also met.
Violation fee
In the event of a breach of provisions in the Personal Data Protection Ordinance, the supervisory authority may impose an infringement fee, cf. article 58 no. 2 letter i, cf. article 83. Violation of article 32 can be sanctioned with a fee, cf. article 83 no. 4 letter a. The same applies to violations of Article 24, cf. Personal Data Act § 26, which gives Article 83 No. 4 corresponding application for violations of, among other things, this provision. For violations of the Patient Records Act, Section 22 (information security) and Section 23 (internal control), the same follows from Section 29 of the Patient Records Act.
The question is whether an infringement fee should be imposed for breach of the aforementioned provisions, and if a fee is to be imposed, how large the fee should be.
It follows from Article 83 No. 1 that the imposition of an infringement fee in each individual case must be effective, be in a reasonable relationship to the infringement and act as a deterrent. Both when assessing whether a fee should be imposed and when calculating the fee, account must be taken of the points in the Personal Protection Regulation article 83 no. 2 letters a to k.
For this assessment, it is central to look at the nature, severity and duration of the infringement, cf. article 83 no. 2 letter a. It follows from the provision that account must be taken of the nature, scope or purpose of the processing in question, as well as the number of registered persons who are affected and the extent of the damage they have suffered.
When it comes to the questions of whether a fee should be imposed and the measurement of the fee, the tribunal takes as its starting point the Norwegian Data Protection Authority's assessment.
The tribunal has emphasized that a significant amount of personal data has been compromised and lost for the future. Information is also spread on the dark web to an unknown extent. The information in question also includes particular categories of information, cf. Article 9, and it includes information about children. These conditions are emphasized in an aggravating direction.
The tribunal further points out that the security breach was due to fundamental deficiencies in the municipality's personal data and information security system. Internal control was not established or carried out in a way that was suitable for detecting these security gaps. The tribunal agrees with the supervisory authority that this is very serious.
The tribunal agrees with the Norwegian Data Protection Authority that the municipality, when the security breach was discovered, has acted responsibly both towards the supervisory authority and towards the citizens. Although this is given a mitigating effect when calculating the amount of the fee, it cannot result in the fee being waived. The tribunal notes that the significance of the municipality's follow-up after the attack is not specified in the Data Protection Authority's decision, but assumes that the situation is sufficiently taken into account in the final fee determination. The same applies to the municipality's financial situation, including the costs the security breach has already caused them.
Østre Toten municipality has stated that the Norwegian Data Protection Authority violates the principle of equal treatment and has shown that the Storting imposed a fee of NOK 2,000,000 following a data breach in September 2020. When submitting the case to the tribunal, the Danish Data Protection Authority explained its assessment in the case that applied The Storting's breach of personal data security held up against the Norwegian Authority's assessment in this case. The supervisory authority considers the breach of security in Østre Toten municipality to be clearly more serious and has, among other things, pointed to the extensive consequences where a great deal of personal information has been lost and/or has been published on the dark web. In the case where the Storting was hit by a computer attack, 13 employees' e-mail accounts were compromised. Although the lack of two-factor authentication also affected the Storting, the deficiencies in the other personal data and information security were not of an equally serious nature. The tribunal has not had the case concerning the Storting for consideration, but cannot, based on what has been described, see that the Norwegian Data Protection Authority has breached the principle of equal treatment when assessing infringement fees in the present case.
Østre Toten municipality will then be charged an infringement fee of NOK 4,000,000.
Østre Toten municipality does not succeed in the appeal.
Conclusion
The Norwegian Data Protection Authority's decision to impose an infringement fee of NOK 4,000,000 on Østre Toten municipality for breach of personal data security is upheld.
The decision is unanimous.


Oslo, 24 January 2023
Mari Bø Haugstad
Manager