An expensive delay
The Norwegian Data Protection Agency has fined a US pharmaceutical company NOK 2.5 million following a data breach. The company became aware of a data breach that affected all EU-based employees, including one employee in Norway. However, the breach was only reported to the Norwegian Data Protection Agency after 67 days. The data breach had included almost all details about the employee’s employment terms and conditions.
A US pharmaceutical company discovered a data breach after it discovered there had been access to the “Senior Vice President of Human Resources” inbox for almost a month.
Hackers had probably gained access to the inbox via a phishing e-mail. The access compromised confidential information on the company’s employees, including details such as their names, titles, place of work, holiday rights, remuneration, social security, and employee benefits such as pension, insurance, and company car.
The breach involved employees in several countries. The company reported the breach to some data protection agencies, but not the Norwegian one. Instead, the company spent two months investigating whether the breach was relevant to report.
72 hours, and not a second more
It was clear to the Norwegian Data Protection Agency that the breach should have been reported in accordance with the data protection rules. As a result of the breach of the 72-hour deadline, the company was fined NOK 2.5 million. The Norwegian Data Protection Agency emphasized that a 64-day delay after the deadline of 72 hours had passed was a serious breach.
As part of the assessment, the Norwegian Data Protection Agency stressed that the company had followed an inadequate internal policy for handling the data breach. According to the policy, the company would first conduct its own internal investigations before seeking advice from external advisors within the EU. Consequently, that process made it almost practically impossible for the company to satisfy the 72-hour deadline.
Additionally, the Norwegian Data Protection Agency emphasized that personal information relating to the remuneration and benefit packages was of sensitive nature. The breach could significantly impact the affected employee, as the information could be used for identity theft and fraud. Moreover, the Norwegian Data Protection Agency pointed to other issues, including the fact that the company’s data protection officer was also the global IT director. That position was fundamentally incompatible with the independency requirements that a data protection officer needs to satisfy.
IUNOs opinion
When a data breach needs to be reported in accordance with the rules, a 72-hour deadline applies. However, in order to be able to react within that short timeframe, internal guidelines need to be in place. This case is an example of how companies should consider whether the internal procedures actually can be completed within that timeframe. We have previously written about the strict 72-hour deadline here.
IUNO recommends that companies establish realistic procedures for handling data breaches. Further, such procedures should outline who is responsible for what throughout the reporting process. If the process relies on external counselling, there should also be clear expectations in place on how the deadline can be met in any case.
Read more of how we can help ensure GDPR compliance here.
[The Norwegian Data Protection Agency’s judgment of 8 March 2023 in case 21/03126-13]
A US pharmaceutical company discovered a data breach after it discovered there had been access to the “Senior Vice President of Human Resources” inbox for almost a month.
Hackers had probably gained access to the inbox via a phishing e-mail. The access compromised confidential information on the company’s employees, including details such as their names, titles, place of work, holiday rights, remuneration, social security, and employee benefits such as pension, insurance, and company car.
The breach involved employees in several countries. The company reported the breach to some data protection agencies, but not the Norwegian one. Instead, the company spent two months investigating whether the breach was relevant to report.
72 hours, and not a second more
It was clear to the Norwegian Data Protection Agency that the breach should have been reported in accordance with the data protection rules. As a result of the breach of the 72-hour deadline, the company was fined NOK 2.5 million. The Norwegian Data Protection Agency emphasized that a 64-day delay after the deadline of 72 hours had passed was a serious breach.
As part of the assessment, the Norwegian Data Protection Agency stressed that the company had followed an inadequate internal policy for handling the data breach. According to the policy, the company would first conduct its own internal investigations before seeking advice from external advisors within the EU. Consequently, that process made it almost practically impossible for the company to satisfy the 72-hour deadline.
Additionally, the Norwegian Data Protection Agency emphasized that personal information relating to the remuneration and benefit packages was of sensitive nature. The breach could significantly impact the affected employee, as the information could be used for identity theft and fraud. Moreover, the Norwegian Data Protection Agency pointed to other issues, including the fact that the company’s data protection officer was also the global IT director. That position was fundamentally incompatible with the independency requirements that a data protection officer needs to satisfy.
IUNOs opinion
When a data breach needs to be reported in accordance with the rules, a 72-hour deadline applies. However, in order to be able to react within that short timeframe, internal guidelines need to be in place. This case is an example of how companies should consider whether the internal procedures actually can be completed within that timeframe. We have previously written about the strict 72-hour deadline here.
IUNO recommends that companies establish realistic procedures for handling data breaches. Further, such procedures should outline who is responsible for what throughout the reporting process. If the process relies on external counselling, there should also be clear expectations in place on how the deadline can be met in any case.
Read more of how we can help ensure GDPR compliance here.
[The Norwegian Data Protection Agency’s judgment of 8 March 2023 in case 21/03126-13]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing