The Norwegian Data Protection Authority has notified Stortinget of an infringement fine of two million kroner and imposed an infringement fine of four million kroner on Østre Toten municipality. In both cases, the Authority emphasizes that it is a clear management responsibility to secure the business against such attacks, and that two-factor authentication, awareness-raising and an appropriate risk and vulnerability analysis are key measures.

During the attack on Stortinget, hackers had gained unauthorized access to Member of Parliaments email accounts, and downloaded bank and account information, birth numbers, health information and personal information about third parties. In the Østre Toten municipality case, more than 300,000 documents were affected, including sensitive personal information, and it became known that documents had been resold on the dark web. Also, they lacked sufficient internal backup and logging so that several documents could not be recovered, and the data traffic could not be traced. Read more about the case in this article.

Information security is a management responsibility
The EU General Data Protection Regulation (GDPR) states that all companies must have a suitable internal control system for information security. Management and employees must identify the risk of personal data being lost, changed, damaged or exposed to unintentional access or dissemination, and implement concrete measures to prevent this from happening. The cases illustrate that management is obliged to know the privacy regulations and implement appropriate measures to prevent ransomware attacks. Which measures are relevant will largely be up to the company itself, as long as they are suitable for reducing the relevant risk. Companies should nevertheless note that the Norwegian Data Protection Authority refers to both physical measures, such as authentication solutions, and organizational measures such as routines and training of personnel.

Use of two-factor authentication
Passwords can be misused. Either because it is not strong enough, used according to the same pattern, by using the same password on several services, or because the password goes astray. The risk is then great that hackers can gain access to the password, infiltrate an innocent email and break into the business. By using two-factor authentication, the risk will be reduced. The Norwegian Data Protection Authority does not rule out that other measures may provide similar security, but two-factor authentication is recommended by both the National Security Authority and the Norwegian Data Protection Authority. Stortinget had identified that the lack of two-factor authentication was a significant risk but did not implement it. This was considered negligent by The Norwegian Data Protection Authority.

Organizational measures: Routines, training, awareness raising
Awareness by the employees is also important. Hackers often gain access through social influence and theft of login information. Regular training, checklists for the use of IT- equipment, systematic reminders of possible attempts at hacking, are then relevant and important internal control measures. Stortinget itself had considered that a lack of security culture, low competence and little focus on privacy was a very high risk. The Norwegian Data Protection Authority emphasizes that the GDPR requires companies to implement organizational measures for such risk. Relevant measures in that case are mapping the employees’ knowledge of information security and privacy and targeted training of the employees. Guidelines and routines for using the company’s email account are also effective and necessary measures and should be part of the management system for privacy and information security. Other relevant measures are new requirements for passwords, extended scope of security logging, updated guidelines for mobile devices and two-factor authentication.

Analyze risk-and vulnerability
The cases also emphasize the GDPR has requirement for management to identify risk and preventive measures. And, as the Authority emphasizes in the notification to Stortinget, this must not take a disproportionately long time. Many companies may find such an analysis comprehensive and complex. The concepts are often very IT-technical, the assessment is considered complicated and the management is not able to request the right measures. However, it is important to get started, be specific and ensure that management and the professional environment have the same focus. These two cases then provide good guidance for current risk and effective measures: In addition to what is already known about lack of authentication and security culture, the case of Østre Toten municipality shows current risks with the company’s internal infrastructure: Lack of backup increases the risk that data elements cannot be restored and thus lost, and in the absence of a log increases the risk that important information about the attack and how the information is affected is not available.

Summary
The threat of cyberattacks is now something most businesses risk facing. Hence, it is important that management have sufficient knowledge of this and of the requirements of the GDPR to ensure appropriate level of security. Introducing two-factor authentication, regular training and raising awareness of employees are effective measures in this respect. These days, it’s time for management’s review of the business and reporting of internal control. The two cases illustrate well what the management should be aware of.