EN
Technology

Cyber-attack will become expensive for law firm

logo
Legal news
calendar 8 September 2022
globus Denmark

More than two years after a cyber-attack, the Danish Data Protection Agency has proposed a fine to a law firm. Due to the security breach, hackers gained access to confidential data on – among other things – the company’s clients. The Danish Data Protection Agency filed a police report as a result of the breach with a proposal to issue a fine of DKK 500,000. According to the Danish Data Protection Agency, the company did not have the necessary security measures in place to be protected from the cyber-attack.

A law firm was exposed to a ransomware-attack a little more than two years ago. The purpose of the attack was blackmail, and, in that connection, the company’s IT systems were put out of order and locked. Then, the company was blackmailed as it had to pay a ransom to regain access to the systems.

The company quickly reported the cyber-attack as a data breach to the Danish Data Protection Agency. This was because the hackers had gained access to the company’s servers, which contained information on both clients and opposing parties. Consequently, the breach entailed a serious risk for those affected. However, the company did not find any trace indicating that information had been copied during the attack. Also, only a limited amount of data was lost due to the attack, and none of it related to clients or opposing parties.

Basic security measures were missing

The Danish Data Protection Agency found that the company had failed to implement basic security measures when it had established remote access to its IT systems, which contained confidential information. Data must always be processed in a manner that prevents unauthorized access or use of it. That means that companies are responsible for assessing the risks that processing entails, including the implementation of measures that reflect such risks, such as cyber-attacks.

To establish the fine the company should receive for the breach of the rules, the Danish Data Protection Agency, on the one hand, considered that the security measures had been inadequate. The security measures did not even, as a minimum, reflect what could be expected for remote access to a system that contained that level of sensitive information.

On the other hand, it was to the company’s advantage that it was in the process of implementing a multifactor authentication solution at the time of the cyber-attack. The Danish Data Protection Agency also emphasized that the company had cooperated.

IUNO’s opinion

Several factors can impact the risk of exposure to cyber-attacks. In the beginning of the coronavirus pandemic, many companies were challenged by the new home offices that had to be established with short notice. Other, more common, elements such as the introduction of new systems or, more generally, the technological development also forces companies to focus, almost constantly, on whether the security measures that are in place are adequate.

IUNO recommends that companies continuously control IT systems to consider if the security measures are adequate, including encryption or multifactor-login. This exercise is especially important for companies that process sensitive and confidential data on a large scale. In any case, companies must have established procedures in place to handle a cyber-attack.

[The Danish Data Protection Agency’s police report of SIRIUS advokater of 14 July 2022]

A law firm was exposed to a ransomware-attack a little more than two years ago. The purpose of the attack was blackmail, and, in that connection, the company’s IT systems were put out of order and locked. Then, the company was blackmailed as it had to pay a ransom to regain access to the systems.

The company quickly reported the cyber-attack as a data breach to the Danish Data Protection Agency. This was because the hackers had gained access to the company’s servers, which contained information on both clients and opposing parties. Consequently, the breach entailed a serious risk for those affected. However, the company did not find any trace indicating that information had been copied during the attack. Also, only a limited amount of data was lost due to the attack, and none of it related to clients or opposing parties.

Basic security measures were missing

The Danish Data Protection Agency found that the company had failed to implement basic security measures when it had established remote access to its IT systems, which contained confidential information. Data must always be processed in a manner that prevents unauthorized access or use of it. That means that companies are responsible for assessing the risks that processing entails, including the implementation of measures that reflect such risks, such as cyber-attacks.

To establish the fine the company should receive for the breach of the rules, the Danish Data Protection Agency, on the one hand, considered that the security measures had been inadequate. The security measures did not even, as a minimum, reflect what could be expected for remote access to a system that contained that level of sensitive information.

On the other hand, it was to the company’s advantage that it was in the process of implementing a multifactor authentication solution at the time of the cyber-attack. The Danish Data Protection Agency also emphasized that the company had cooperated.

IUNO’s opinion

Several factors can impact the risk of exposure to cyber-attacks. In the beginning of the coronavirus pandemic, many companies were challenged by the new home offices that had to be established with short notice. Other, more common, elements such as the introduction of new systems or, more generally, the technological development also forces companies to focus, almost constantly, on whether the security measures that are in place are adequate.

IUNO recommends that companies continuously control IT systems to consider if the security measures are adequate, including encryption or multifactor-login. This exercise is especially important for companies that process sensitive and confidential data on a large scale. In any case, companies must have established procedures in place to handle a cyber-attack.

[The Danish Data Protection Agency’s police report of SIRIUS advokater of 14 July 2022]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

22 September 2022

The Danish Data Protection Agency is testing the use of cloud solutions

logo
Technology

25 August 2022

Faulty deletion of data makes the Danish Data Protection Agency fine publishing house

logo
Technology

16 June 2022

Unfortunate software update gave thousands of employees access to job applications

logo
Technology

2 June 2022

Failure to inform shareholder breached the data protection rules

logo
Technology

28 April 2022

First fine to a public authority for breach of the data protection rules

logo
Technology

31 March 2022

New guidelines clarify when processing is an international data transfer

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate