EN
Technology

Cyber-attack will become expensive for law firm

logo
Legal news
calendar 8 September 2022
globus Denmark

More than two years after a cyber-attack, the Danish Data Protection Agency has proposed a fine to a law firm. Due to the security breach, hackers gained access to confidential data on – among other things – the company’s clients. The Danish Data Protection Agency filed a police report as a result of the breach with a proposal to issue a fine of DKK 500,000. According to the Danish Data Protection Agency, the company did not have the necessary security measures in place to be protected from the cyber-attack.

A law firm was exposed to a ransomware-attack a little more than two years ago. The purpose of the attack was blackmail, and, in that connection, the company’s IT systems were put out of order and locked. Then, the company was blackmailed as it had to pay a ransom to regain access to the systems.

The company quickly reported the cyber-attack as a data breach to the Danish Data Protection Agency. This was because the hackers had gained access to the company’s servers, which contained information on both clients and opposing parties. Consequently, the breach entailed a serious risk for those affected. However, the company did not find any trace indicating that information had been copied during the attack. Also, only a limited amount of data was lost due to the attack, and none of it related to clients or opposing parties.

Basic security measures were missing

The Danish Data Protection Agency found that the company had failed to implement basic security measures when it had established remote access to its IT systems, which contained confidential information. Data must always be processed in a manner that prevents unauthorized access or use of it. That means that companies are responsible for assessing the risks that processing entails, including the implementation of measures that reflect such risks, such as cyber-attacks.

To establish the fine the company should receive for the breach of the rules, the Danish Data Protection Agency, on the one hand, considered that the security measures had been inadequate. The security measures did not even, as a minimum, reflect what could be expected for remote access to a system that contained that level of sensitive information.

On the other hand, it was to the company’s advantage that it was in the process of implementing a multifactor authentication solution at the time of the cyber-attack. The Danish Data Protection Agency also emphasized that the company had cooperated.

IUNO’s opinion

Several factors can impact the risk of exposure to cyber-attacks. In the beginning of the coronavirus pandemic, many companies were challenged by the new home offices that had to be established with short notice. Other, more common, elements such as the introduction of new systems or, more generally, the technological development also forces companies to focus, almost constantly, on whether the security measures that are in place are adequate.

IUNO recommends that companies continuously control IT systems to consider if the security measures are adequate, including encryption or multifactor-login. This exercise is especially important for companies that process sensitive and confidential data on a large scale. In any case, companies must have established procedures in place to handle a cyber-attack.

[The Danish Data Protection Agency’s police report of SIRIUS advokater of 14 July 2022]

A law firm was exposed to a ransomware-attack a little more than two years ago. The purpose of the attack was blackmail, and, in that connection, the company’s IT systems were put out of order and locked. Then, the company was blackmailed as it had to pay a ransom to regain access to the systems.

The company quickly reported the cyber-attack as a data breach to the Danish Data Protection Agency. This was because the hackers had gained access to the company’s servers, which contained information on both clients and opposing parties. Consequently, the breach entailed a serious risk for those affected. However, the company did not find any trace indicating that information had been copied during the attack. Also, only a limited amount of data was lost due to the attack, and none of it related to clients or opposing parties.

Basic security measures were missing

The Danish Data Protection Agency found that the company had failed to implement basic security measures when it had established remote access to its IT systems, which contained confidential information. Data must always be processed in a manner that prevents unauthorized access or use of it. That means that companies are responsible for assessing the risks that processing entails, including the implementation of measures that reflect such risks, such as cyber-attacks.

To establish the fine the company should receive for the breach of the rules, the Danish Data Protection Agency, on the one hand, considered that the security measures had been inadequate. The security measures did not even, as a minimum, reflect what could be expected for remote access to a system that contained that level of sensitive information.

On the other hand, it was to the company’s advantage that it was in the process of implementing a multifactor authentication solution at the time of the cyber-attack. The Danish Data Protection Agency also emphasized that the company had cooperated.

IUNO’s opinion

Several factors can impact the risk of exposure to cyber-attacks. In the beginning of the coronavirus pandemic, many companies were challenged by the new home offices that had to be established with short notice. Other, more common, elements such as the introduction of new systems or, more generally, the technological development also forces companies to focus, almost constantly, on whether the security measures that are in place are adequate.

IUNO recommends that companies continuously control IT systems to consider if the security measures are adequate, including encryption or multifactor-login. This exercise is especially important for companies that process sensitive and confidential data on a large scale. In any case, companies must have established procedures in place to handle a cyber-attack.

[The Danish Data Protection Agency’s police report of SIRIUS advokater of 14 July 2022]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

26 January 2023

DPO across the Nordics

logo
Technology

8 December 2022

Company spilled the tea and got reported to the police

logo
Technology

24 November 2022

Colored cookie consent can be illegal nudging

logo
Technology

10 November 2022

Deadline to create whistleblower schemes for medium-sized companies approaching

logo
Technology

27 October 2022

Criticism and order to correct processing activities on “No thank you-list”

logo
Technology

13 October 2022

Investigation criticized by the Danish Data Protection Agency

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate