The Danish Data Protection Authority has fined a law firm after a data breach, due to their inadequate security measures.
A law firm in Denmark has been fined over €67,000 for failing to implement basic security measures when establishing remote access to the company’s IT systems. These systems facilitated access to personal data of a particularly protective nature. After an attack from hackers in early 2020, the Danish Data Protection Authority concluded that the firm lacked the basic security measures necessary. According to this report from the Danish DPA, the firm was, at the time, in the process of implementing multi-factor authentication processes at the time of the attack.
The law firm reported a hacker attack in early 2020 which put the information of clients and counterparties at risk.
In March 2020, SIRIUS lawyers reported a breach of personal data security to the Norwegian DPA, after having experienced an attack from hackers. In the attack, the hackers gained access to, and encrypted the law firm’s servers. These servers contained information about the company’s clients, as well as counterparties. This created a serious risk of personal information about the clients and counterparties falling into the hands of unauthorised parties, potentially causing damage to the individuals concerned as a result.
Adequate security measures are required when handling large volumes of sensitive data, particularly when accessing IT systems remotely.
When IT systems contain a large volume of personal data, particularly that of a protective nature, where compromise would pose a high risk to the rights of the data subjects, the data controller must have specially qualified security measures to prevent unauthorized access to personal data. This includes measures for verification, like multi-factor authentication for logging in, particularly when remote access is involved. Betty Husted, deputy in the Data Protection Authority said «Law firms naturally process a lot of information that requires special protection. In this case, SIRIUS lawyers lacked basic security measures, and this unfortunately meant that, among other things, clients’ information was compromised. You cannot protect yourself 100% against hacker attacks, but the rules in the GDPR require that you make an effort to avoid what corresponds to the risk.”
The Danish DPA decided on a fine of €67,168 to be paid by SIRIUS lawyers for this infraction.
In assessing the fine that should be imposed, the Danish Data Protection Authority considered many factors. The DPA acknowledged that SIRIUS lawyers had not implemented the minimum security measures necessary, when using remote access to IT systems which would pose a high risk for the data subject’s rights if compromised. The Danish DPA emphasised the seriousness of the infringement and the requirement that each fine must be effective, proportionate to the infringement, and have a deterrent effect. In addition, the DPA considered that SIRIUS lawyers were in the process of implementing a multi-factor authentication solution at the time of the breach, and have acted extremely cooperatively in relation to the disclosure of the case. As a result the Danish DPA decided on a fine in the amount of DKK 500,000 or approximately €67,168.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.