Danish SA: fine of of approx. EUR 67k for a law firm hit by ransomware for its insufficient security safeguards

The Danish DPA held that the law firm lacked basic security measures, especially considering the fact that its processing involved special categories of personal data. The DPA emphasized that in such cases a data breach would almost certainly entail a high risk to the data subjects' rights. Therefore, the controller must have especially strict security measures in place to avoid unauthorised accesses. Hence, when creating remote access to such IT systems, the controller could, for instance, implement multifactor authentication.