Another significant fine for the lack of adequate security measures on personal data was recently issued by a European Supervisory Authority (SA) to a controller responsible for private customers´ data.
In the present case, the Swedish Supervisory Authority (IMY) imposed a fine of SEK 35 million (approx. EUR 2.9 million) to the insurance company Trygg-Hansa, a branch of Tryg Forsikring A/S with a decision issued on 28 August 2023.
The fine was imposed following an identified security breach that led to the potential disclosure of 650,000 data subjects’ personal data, including special categories of data.
Background to the IMY’s decision
The IMY started an investigation on Trygg-Hansa – in particular, on an acquired entity part of the Group since April 2022 – following a notification from a data subject about a potential data breach, that was indeed ascertained. The data subject noticed the breach in an email received from the controller including a quotation for an insurance sent by the company. The email was providing a link that showed documents including insurance information. By accessing the link, the data subject could notice that it was easily possible to access other customers data with the same link, only by replacing some digits (numbers in the web link). Surprisingly, it was possible to access the customers´ insurance files in an effortless and of course not secure way.
Furthermore, the accessible documents were including special categories of data, like health data, that would have allowed the unauthorized accessor to identify health issues of the customers and in such a way, obtain information about the person´s life and private conditions. On top of regular categories of personal data and special categories, additional information about social security and insurance conditions were also potentially visible.
It was also identified during the investigation, that the data were potentially exposed for a period of over two years from October 2018 to February 2021.
The Swedish SA, following the investigations and the assessment of the case, concluded that the principle of integrity and confidentiality of personal data (Art. 5.1 (f) GDPR) and the obligation to ensure an adequate level of protection to personal data (Art. 32 GDPR) were breached, hence the decision to impose a monetary sanction.
From the case described, it is possible to deduct two main lessons in relation to the compliance of personal data processing by controllers:
- Always consider data protection compliance within the due diligence practices before an acquisition or merge of new entities: the breach did in fact occur before the acquisition of the entity involved by the Tryg Forsikring Group. According to the opinion of the IMY, this could have been detected with a review of the security measures in place.
- Ensure that the security measures applied are always reviewed and tested to grant an effective and valid protection system for personal data during the entire course of business and on different means of processing.