EN
Technology

Cyber-attack will become expensive for law firm

logo
Legal news
calendar 8 September 2022
globus Denmark

More than two years after a cyber-attack, the Danish Data Protection Agency has proposed a fine to a law firm. Due to the security breach, hackers gained access to confidential data on – among other things – the company’s clients. The Danish Data Protection Agency filed a police report as a result of the breach with a proposal to issue a fine of DKK 500,000. According to the Danish Data Protection Agency, the company did not have the necessary security measures in place to be protected from the cyber-attack.

A law firm was exposed to a ransomware-attack a little more than two years ago. The purpose of the attack was blackmail, and, in that connection, the company’s IT systems were put out of order and locked. Then, the company was blackmailed as it had to pay a ransom to regain access to the systems.

The company quickly reported the cyber-attack as a data breach to the Danish Data Protection Agency. This was because the hackers had gained access to the company’s servers, which contained information on both clients and opposing parties. Consequently, the breach entailed a serious risk for those affected. However, the company did not find any trace indicating that information had been copied during the attack. Also, only a limited amount of data was lost due to the attack, and none of it related to clients or opposing parties.

Basic security measures were missing

The Danish Data Protection Agency found that the company had failed to implement basic security measures when it had established remote access to its IT systems, which contained confidential information. Data must always be processed in a manner that prevents unauthorized access or use of it. That means that companies are responsible for assessing the risks that processing entails, including the implementation of measures that reflect such risks, such as cyber-attacks.

To establish the fine the company should receive for the breach of the rules, the Danish Data Protection Agency, on the one hand, considered that the security measures had been inadequate. The security measures did not even, as a minimum, reflect what could be expected for remote access to a system that contained that level of sensitive information.

On the other hand, it was to the company’s advantage that it was in the process of implementing a multifactor authentication solution at the time of the cyber-attack. The Danish Data Protection Agency also emphasized that the company had cooperated.

IUNO’s opinion

Several factors can impact the risk of exposure to cyber-attacks. In the beginning of the coronavirus pandemic, many companies were challenged by the new home offices that had to be established with short notice. Other, more common, elements such as the introduction of new systems or, more generally, the technological development also forces companies to focus, almost constantly, on whether the security measures that are in place are adequate.

IUNO recommends that companies continuously control IT systems to consider if the security measures are adequate, including encryption or multifactor login. This exercise is especially important for companies that process sensitive and confidential data on a large scale. In any case, companies must have established procedures in place to handle a cyber-attack.

[The Danish Data Protection Agency’s police report of SIRIUS advokater of 14 July 2022]

A law firm was exposed to a ransomware-attack a little more than two years ago. The purpose of the attack was blackmail, and, in that connection, the company’s IT systems were put out of order and locked. Then, the company was blackmailed as it had to pay a ransom to regain access to the systems.

The company quickly reported the cyber-attack as a data breach to the Danish Data Protection Agency. This was because the hackers had gained access to the company’s servers, which contained information on both clients and opposing parties. Consequently, the breach entailed a serious risk for those affected. However, the company did not find any trace indicating that information had been copied during the attack. Also, only a limited amount of data was lost due to the attack, and none of it related to clients or opposing parties.

Basic security measures were missing

The Danish Data Protection Agency found that the company had failed to implement basic security measures when it had established remote access to its IT systems, which contained confidential information. Data must always be processed in a manner that prevents unauthorized access or use of it. That means that companies are responsible for assessing the risks that processing entails, including the implementation of measures that reflect such risks, such as cyber-attacks.

To establish the fine the company should receive for the breach of the rules, the Danish Data Protection Agency, on the one hand, considered that the security measures had been inadequate. The security measures did not even, as a minimum, reflect what could be expected for remote access to a system that contained that level of sensitive information.

On the other hand, it was to the company’s advantage that it was in the process of implementing a multifactor authentication solution at the time of the cyber-attack. The Danish Data Protection Agency also emphasized that the company had cooperated.

IUNO’s opinion

Several factors can impact the risk of exposure to cyber-attacks. In the beginning of the coronavirus pandemic, many companies were challenged by the new home offices that had to be established with short notice. Other, more common, elements such as the introduction of new systems or, more generally, the technological development also forces companies to focus, almost constantly, on whether the security measures that are in place are adequate.

IUNO recommends that companies continuously control IT systems to consider if the security measures are adequate, including encryption or multifactor login. This exercise is especially important for companies that process sensitive and confidential data on a large scale. In any case, companies must have established procedures in place to handle a cyber-attack.

[The Danish Data Protection Agency’s police report of SIRIUS advokater of 14 July 2022]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Managing associate (on leave)

Similar

logo
Technology

15 January 2024

Expensive right of access requests

logo
Technology

28 September 2023

Seven commandments when closing the business e-mail account

logo
Technology

19 September 2023

Unfair design practices resulted in a 345 million euro fine

logo
Technology

14 September 2023

Accessible personnel files resulted in a data breach

logo
Technology

14 September 2023

Deadline to establish whistleblower schemes for medium-sized companies approaching

logo
Technology

31 August 2023

New guidance from the Danish Data Protection Agency on direct marketing

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Managing associate (on leave)