Cyber-attack will become expensive for law firm
More than two years after a cyber-attack, the Danish Data Protection Agency has proposed a fine to a law firm. Due to the security breach, hackers gained access to confidential data on – among other things – the company’s clients. The Danish Data Protection Agency filed a police report as a result of the breach with a proposal to issue a fine of DKK 500,000. According to the Danish Data Protection Agency, the company did not have the necessary security measures in place to be protected from the cyber-attack.
A law firm was exposed to a ransomware-attack a little more than two years ago. The purpose of the attack was blackmail, and, in that connection, the company’s IT systems were put out of order and locked. Then, the company was blackmailed as it had to pay a ransom to regain access to the systems.
The company quickly reported the cyber-attack as a data breach to the Danish Data Protection Agency. This was because the hackers had gained access to the company’s servers, which contained information on both clients and opposing parties. Consequently, the breach entailed a serious risk for those affected. However, the company did not find any trace indicating that information had been copied during the attack. Also, only a limited amount of data was lost due to the attack, and none of it related to clients or opposing parties.
Basic security measures were missing
The Danish Data Protection Agency found that the company had failed to implement basic security measures when it had established remote access to its IT systems, which contained confidential information. Data must always be processed in a manner that prevents unauthorized access or use of it. That means that companies are responsible for assessing the risks that processing entails, including the implementation of measures that reflect such risks, such as cyber-attacks.
To establish the fine the company should receive for the breach of the rules, the Danish Data Protection Agency, on the one hand, considered that the security measures had been inadequate. The security measures did not even, as a minimum, reflect what could be expected for remote access to a system that contained that level of sensitive information.
On the other hand, it was to the company’s advantage that it was in the process of implementing a multifactor authentication solution at the time of the cyber-attack. The Danish Data Protection Agency also emphasized that the company had cooperated.
IUNO’s opinion
Several factors can impact the risk of exposure to cyber-attacks. In the beginning of the coronavirus pandemic, many companies were challenged by the new home offices that had to be established with short notice. Other, more common, elements such as the introduction of new systems or, more generally, the technological development also forces companies to focus, almost constantly, on whether the security measures that are in place are adequate.
IUNO recommends that companies continuously control IT systems to consider if the security measures are adequate, including encryption or multifactor login. This exercise is especially important for companies that process sensitive and confidential data on a large scale. In any case, companies must have established procedures in place to handle a cyber-attack.
[The Danish Data Protection Agency’s police report of SIRIUS advokater of 14 July 2022]
A law firm was exposed to a ransomware-attack a little more than two years ago. The purpose of the attack was blackmail, and, in that connection, the company’s IT systems were put out of order and locked. Then, the company was blackmailed as it had to pay a ransom to regain access to the systems.
The company quickly reported the cyber-attack as a data breach to the Danish Data Protection Agency. This was because the hackers had gained access to the company’s servers, which contained information on both clients and opposing parties. Consequently, the breach entailed a serious risk for those affected. However, the company did not find any trace indicating that information had been copied during the attack. Also, only a limited amount of data was lost due to the attack, and none of it related to clients or opposing parties.
Basic security measures were missing
The Danish Data Protection Agency found that the company had failed to implement basic security measures when it had established remote access to its IT systems, which contained confidential information. Data must always be processed in a manner that prevents unauthorized access or use of it. That means that companies are responsible for assessing the risks that processing entails, including the implementation of measures that reflect such risks, such as cyber-attacks.
To establish the fine the company should receive for the breach of the rules, the Danish Data Protection Agency, on the one hand, considered that the security measures had been inadequate. The security measures did not even, as a minimum, reflect what could be expected for remote access to a system that contained that level of sensitive information.
On the other hand, it was to the company’s advantage that it was in the process of implementing a multifactor authentication solution at the time of the cyber-attack. The Danish Data Protection Agency also emphasized that the company had cooperated.
IUNO’s opinion
Several factors can impact the risk of exposure to cyber-attacks. In the beginning of the coronavirus pandemic, many companies were challenged by the new home offices that had to be established with short notice. Other, more common, elements such as the introduction of new systems or, more generally, the technological development also forces companies to focus, almost constantly, on whether the security measures that are in place are adequate.
IUNO recommends that companies continuously control IT systems to consider if the security measures are adequate, including encryption or multifactor login. This exercise is especially important for companies that process sensitive and confidential data on a large scale. In any case, companies must have established procedures in place to handle a cyber-attack.
[The Danish Data Protection Agency’s police report of SIRIUS advokater of 14 July 2022]
Similar
Draft bill to ensure responsible use of AI
GDPR fines must be calculated based on total worldwide annual turnover
Review and use of private e-mails led to severe criticism
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine