Last week, the Norwegian Data Protection Authority announced that they intend to sanction Østre Toten municipality with a fine of NOK 4,000,000 due to the municipality’s non-compliance with the GDPR requirements. The announced sanction follows in the wake of the Data Protection Authority’s investigation of the municipality’s IT systems after it was exposed to a fatal ransomware virus attack in January this year. Leaked personal data was discovered first by FBI on the dark web. Taking into consideration that the municipality is not criticised by the Authority for how it handled the attack as such, the sanction appears as a striking conclusion. The amount of NOK 4,000,000 is also of a significant size, especially from a Norwegian perspective. In comparison, the Data Protection Authority according to its latest yearly report issued fines totalling NOK 5,875,000 during the whole of 2020. The sanction is also remarkable considering that the Data Protection Authority themselves states that the attack is currently believed to have cost the municipality more than NOK 32,000,000 and onwards notes that this likely is an enormous financial burden for a municipality with only around 15,000 inhabitants.
In order for other businesses to understand the Data Protection Authority’s position, and not least to avoid being faced with a similar sanction in case a company is exposed to a cyber-attack, one must be well acquainted with and ensure compliance with the strict information security requirements under the GDPR. These are requirements that apply to all businesses when they, as part of their operations, process information that can identify individuals. The Data Protection Authority’s decision provides clear answers to what is expected of the company in terms of which basic security measures must be in place.
The Authority’s assessment also provides clear answers to what precautions companies are expected to take considering the ever-increasing risk of ransomware viruses and similar attacks. If the company wants to avoid criticism and fines, on top of the often-significant costs associated with dealing with such an attack, one must act before the potential attack takes place.
The GDPR requires that companies must carry out specific risk assessments and implement appropriate technical and organizational security measures that address the specific risks they are facing. The key objective is that the company must assess the risk of personal data getting temporarily or permanently lost, altered or exposed to breaches of confidentiality. Considering how probable and easily undesirable cyber events can occur, the company must then implement «appropriate» safety measures to reduce the risk to an acceptable level.
In the assessment of the decision against Østre Toten municipality, the Data Protection Authority emphasizes that the municipality is responsible for the processing of extensive special category data. The Data Protection Authority then focuses on three basic technical and organizational measures that the municipality, in the Authority’s opinion, should have implemented. First, the municipality’s employees did not use two-factor authentication when logging in, meaning that login information obtained illegally provided easy access to the municipality’s IT systems. The abuse of such login information was the presumed way in which the attackers gained access to the system. Second, the municipality did not have sufficient backup systems, as these were not adequately protected against both intentional and unintentional deletion, manipulation, and access. Not only were such backup protection considered crucial for data protection and information security, but it also made the restoration of the operation of the systems more difficult so that regaining control of the situation became problematic. Third, the firewall was insufficiently configured for logging. Considerable amounts of internal traffic were never logged, and the servers were not configured to create a central log reception. This made it difficult to trace and uncover unauthorized use and was clearly accentuated in the Authority’s assessment of the incident. The Authority concluded that due to these shortcomings, the municipality had completely lost control of a significant amount of personal data. including large amounts of special category data.
It is also noteworthy that the Data Protection Authority emphasize the management’s and employees’ lack of awareness of possible security threats and cyber-attacks. This clearly illustrates that all entities are expected to carry out risk assessments to increase its level of awareness and knowledge of potential threats. Specifically, this means that company must understand and consider increasingly advanced attempts of cyber-attacks, and possibly strengthen the protection measures in light of technological developments.
The Norwegian Data Protection Authority concluded that the municipality’s omissions entailed a clear violation of several GDPR provisions. Even though the municipality’s handled the attack in a praiseworthy way, the Authority have announced that they will impose the sizable fine of NOK 4,000,000. It should be noted that this is the Authority’s preliminary assessment and the municipality is expected to object. However, the case is interesting reading for all companies that wants to understand the requirements for handling cyber-attacks and similar incidents.