The Copenhagen-based law firm was hit by a hacker attack in 2020, where its IT systems lacked "very basic security measures."
The hacker attack appears to be a ransomware attack, with the Danish Data Protection Authority explaining that the hackers not only gained access, but also "encrypted the law firm's servers, which contained information about the firm's clients and counterparties.".
This created a serious risk that the hackers could gain access to personal data of a particularly sensitive nature.
Lack of basic security measures
In systems containing a large number of personal data of a particularly sensitive nature, where compromise would pose a high risk to the rights of data subjects, the controller must have specifically qualified security measures in place to ensure that unauthorized access to personal data does not occur.
Thus, when creating remote accesses to such IT systems, verification measures, such as multifactor logins, must be implemented.
In this context, the Danish Data Protection Authority directly states that "Law firms by their nature process a lot of data which require special protection. In this case, lawyers lacked basic security measures, which unfortunately meant that, among other things, clients' data were compromised. You cannot protect yourself 100% against hacker attacks, but GDPR rules require you to make an effort to avoid what corresponds to the risk."
Fine and report to police
The Danish Data Protection Authority always carries out a specific assessment of the seriousness of the case, pursuant to Article 83(2) of the GDPR, when assessing which sanction is to be considered appropriate.
By assessing that a fine should be imposed, the Danish Data Protection Authority has considered that the law firm had not implemented the minimum-security measures expected when using remote access to systems which, if compromised, would pose a high risk to the rights of data subjects.
Additionally, the Danish Data Protection Authority considered, inter alia, the nature and gravity of the infringement and the requirement of the GDPR that a fine in each case must be effective, proportionate and dissuasive.
The Danish Data Protection Authority has decided to fine the law firm DKK 500,000, approx. EURO 67,150, which in a Danish context is in the higher end of fines regarding GDPR breaches and to report the case to the police.
The largest fine so far was DKK 10 million, which was imposed on the Danish bank Danske Bank in April 2022 for failing to delete personal data in accordance with the GDPR regulation.
It is interesting to see such a precedent for data security requirements for law firms, which by their very nature process a great deal of personal data covered by the GDPR.
Article provided by INPLP member: Claas Thöle (advores Advokater & Rechtsanwälte, Denmark)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)