Norway: Datatilsynet issues notification of fine NOK 2M to Storting for not implementing two-factor authentication
The Norwegian data protection authority ('Datatilsynet') published, on 24 January 2022, its decision in no. 20/03500-8, as issued on 13 January 2022, in which it ordered a fine of NOK 2 million (approx. €199,480) to the Norwegian Parliament's ('Storting') administration, for violations of Articles 5(1)(f), 32(1)(b), and (d) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') for not implementing appropriate technical and organisational measures, including two-factor authentication, to achieve a level of security that is appropriate with regard to the risk of achieving continuing confidentiality, integrity, and robustness.
Background to the decision
In particular, the Datatilsynet stated that the Storting had been exposed to data breaches in the autumn of 2020. In addition, the Datatilsynet noted that the data breach had concerned unauthorised access to the email accounts of an unknown number of parliamentary representatives and employees in the administration and group secretariats. Furthermore, the Datatilsynet noted that the first investigations had revealed that the attackers had downloaded data, including personal information from the email accounts, about the elected representatives and the Storting's employees, including, among other things, bank and account information, date of birth, as well as health information. Hence, the Datatilsynet stated that the Storting's administration and the representatives had lost control of the personal information that had been in their email accounts.
Findings of the Datatilsynet
In particular, the Datatilsynet noted that the GDPR requires the data controller to establish a level of security that is suitable for ensuring lasting confidentiality, integrity, availability, and robustness in the processing systems and services under Article 32(1)(b) of the GDPR. In addition, the Datatilsynet considered it serious that the Storting had not implemented sufficient technical measures, such as two-factor authentication or similar effective security measures, that could have prevented the violation, even though the Storting itself had identified a lack of authentication as a vulnerability. Furthermore, the Datatilsynet considered that the Storting's administration had acted with gross negligence, for not having implemented two-factor authentication when creating an email account for the elected representatives, and that this was not done at the time of the second attack either, even though two-factor authentication is regarded as a known and effective security measure. Moreover, the Datatilsynet considered that the Storting must be regarded as an attractive target for computer attacks, and that based on a risk assessment, a significantly stricter security regime should have been used as a basis. Lastly, the Datatilsynet noted that possible consequences for those affected by the attack could be the misuse of identity, the misuse of payment cards, and the use of information for extortion.
In light of the above, the Datatilsynet found that after an overall assessment of the circumstances of the case, and in particular with regard to the seriousness of the infringement and the GDPR's requirement that the imposition of infringement fines in each individual case must be effective, proportionate, and dissuasive, it has imposed a fine of NOK 2 million (approx. €199,480). However, the Datatilsynet pointed out that this is only a prior notice, and not a final decision. Furthermore, the Datatilsynet noted that the Storting has three weeks to provide feedback with their views on the case and that the Datatilsynet will then assess the feedback and make a final decision.
UPDATE (16 February 2022)
Datatilsynet receives response from Storting
The Datatilsynet announced, on 15 February 2022, that it had received a response from the Storting's administration to its notification of the fee NOK 2 million (approx. €199,480). In particular, the Datatilsynet noted that it will go through the feedback by the Storting's administration and give a final decision, and if the Storting's administration does not accept the decision, they can appeal to the Norwegian Privacy Board, which is the appeal body for Datatilsynet's decisions.
UPDATE (5 July 2022)
Datatilsynet fines Storting NOK 2M for not implementing two-factor authentication
The Datatilsynet published, on 28 June 2022, its final decision as issued, on 4 March 2022, where it upheld its notified decision to fine Storting's administration NOK 2 million (approx. €199,480) for not implementing a two-factor authentication. In addition, the Datatilsynet emphasised that its decision can be appealed, and that Storting may make further objections in connection with a possible appeal process at the Datatilsynet and the Norwegian Privacy Board, which is the appeal body for Datatilsynet's decisions.