Susanna Norelid and Marcus Appeltofft look at the impact of cyber-attacks in Sweden
The Covid-19 (cyber) pandemic
The Covid-19 pandemic has, among other things, brought about a significant increase in data breaches worldwide. Sweden has been no exception. Following the global trend, Swedish organisations have experienced a surge of cyber-attacks in the wake of the pandemic. The increase in cyber-attacks has intersected with an EU-wide harmonisation effort, which includes the Swedish Privacy Protection Authority that aims to change the manner in which the European DPAs investigate and manage GDPR-related complaints. As a consequence, this will likely exacerbate the business risks involved with the processing of personal data. When it comes to data breaches, it is a question of when, rather than if, one will occur.
In a survey of cyber security in Sweden, 59% of all participating companies’ Chief Security Officers (‘CSO’) and Chief Information Security Officers (‘CISO’), replied that they had suffered at least one cyber-attack during the last 12 months, and 30% of the companies stated that they had been targeted multiple times during the last 12 months.
Reportedly, global digital service providers are reprioritising their businesses to support current needs, ie solutions for remote work and business continuity, including the potential transition to ‘the new normal’, after the end of the pandemic. Consequently, the conditions for the increased risk of data breaches are not going away anytime soon.
Increased regulatory risk
The comprehensive European regulatory framework related to data protection (or privacy), the General Data Protection Regulation (the ‘GDPR’), specifies several cyber security related rules. First, it must be remembered that in Art. 24 of the GDPR, the accountability principle is expressed. This means that, as a main rule, the controller is responsible and will be held accountable for all its processing of personal data. Most prominently, in relation to data breaches, Art. 32 stipulates that the controller (and processor on the controller’s instructions) shall implement appropriate technical and organisational security measures, taking into the account the state of the art, the rights and freedoms of natural persons, the context and purposes of the processing, and the costs of implementation.
It is thus not only the risks to the organisation that must be considered, but also the risks to the rights and freedoms of the individuals whose personal data the organisation is processing. As mentioned above, Art. 32 stipulates that the state of the art must be taken into account. What this implies is a continuous risk-based approach that changes with new developments in the cyber risk sphere.
The regulatory risk most definitely is on the increase in Sweden and in the EU as a whole.
Now, personal data is of course not the only data that, when targeted in a cyber-attack, has the potential to inflict serious damage on a business. There are other types of data, eg supply chain data and similar, non-personal statistical data (‘non-personal data’). A business’ non-personal data is potentially valuable as well. However, the processing of such data generally will not carry with it the regulatory risk that the processing of personal data does, seeing as the sanctions for non-compliance with the GDPR are especially steep.
Swedish DPA: shifting supervisory approach
The Swedish DPA has, in its annual review of 2020, announced that it will seek to go on the offensive with regards to their supervisory and enforcement capabilities. The Swedish DPA will, due to an EU-harmonisation effort that has been developed during 2020 (on the initiative of the Swedish DPA), change its supervisory and investigative approach. Prior to the aforementioned EU-wide DPA harmonisation effort, the Swedish DPA investigated a few, but complex, cases each year. Due to the new, harmonised supervisory approach, the DPA will instead move to investigate a large and diverse body of supervisory and enforceability efforts. The new approach also involves a more combative stance in relation to legal proceedings, in order to facilitate the creation of new and relevant case law.
This means that a greater number of personal data processes will be targeted by the Swedish DPA for supervisory and enforcement efforts. With approximately 70% of current complaints aimed at private entities, this will likely mean that a higher number of undertakings, albeit smaller undertakings, will be the subject of such supervisory and enforcement efforts.
In the context of increasingly frequent data breaches, this will likely mean that private organisations will frequently be targeted for regulatory supervision and enforcement, which in the case of the GDPR might result in a substantial fine. Thus, the regulatory risk most definitely is on the increase in Sweden and in the EU as a whole.
Insuring cyber risks
Cyber risk insurance, also referred to as cyber risk liability insurance, is a form of liability insurance meant to provide liability coverage for cyber-attacks. Cyber risk insurance might cover cyber extortion (ransomware), hardware and software system failure, cyber fraud, business income loss due to cyber threat, and costs of data breaches and other emergency costs prompted by a cyber-attack and/or a data breach. As part of our long-term collaborations with many leading insurance companies, we provide assistance to insurers and their policyholders through our cyber desk where we manage the affected company’s response to any cyber-attacks or data breaches.
Our cyber desk
To face increasing cyber threats and regulatory risks to private and public entities, and to answer a demand that we have discovered in the market for legal services, we at Norelid Law have developed and are proud to present our unique 24/7 cyber desk. Our 24/7 cyber desk consists of two primary parts, ‘GDPR Proactive’ and ‘GDPR Incident’. We offer our cyber desk services in close collaboration with other experts within information security and IT forensics.
GDPR Proactive is our all-encompassing cyber desk for ensuring that organisations have everything in place for GDPR compliance, be it organisational measures such as steering documents and/or internal guidelines, and/or assisting organisations in procurement and vendor risk management concerning the organisation’s technical measures and relations
to processors.
GDPR Incident is our 24/7 cyber desk for emergencies and urgent matters. We urge our clients, potential clients, and cooperative law firms to contact us – at any time – in case of a suspected or confirmed data breach.
Susanna Norelid
Founder and managing partner
Tel: +46 733 74 40 52
E: susanna.norelid@norelidlaw.com
Marcus Appeltofft
Associate
Tel: +46 733 74 40 53
E: marcus.appeltofft@norelidlaw.com