News

06.12.2023

Insurance company fined SEK 35 million for security failures and putting data subjects’ data at risk.

The Swedish Authority for Privacy Protection issued an administrative fine of SEK 35 million (3MEUR+) against the insurance company Trygg-Hansa due to severe security flaws that enabled unauthorized access to information via the internet and put 650 000 customers’ data at risk for a period of over two years . The case also provides guidance on IMY’s view for calculating the amount of fines in large groups of companies with autonomous business areas and separate IT systems.

The Swedish Authority for Privacy Protection (“IMY”) initiated an investigation of the insurance company Moderna Försäkringar (which merged with Trygg-Hansa in April 2022 and is herinafter referred to as “Trygg-Hansa”).  The investigation revealed significant deficiencies in technical security measures resulting in unauthorised access to a vast amount of personal data. The decision mainly concerned the obligation to implement appropriate security measures in accordance with Articles 32.1 and Article 5.1 (f) of the GDPR.

A security breach occurred  when some of the insurance company's customers received an email or a text message from the company with a web link to a page on its website containing insurance information of other data subjects. Thus, it was possible to access other policyholders' information such as health, social security numbers, contact details and insurance holdings by altering some digits in the web link.

IMY stated that the substantial number of data subjects affected within Trygg-Hansa’s core business, the extensive amount of information per data subject, and the sensitive nature of the personal data, collectively posed a high risk for the data subjects. IMY asserted that, due to the high risk, measures such as access control, encryption and management of technical vulnerabilities should have been implemented. IMY concluded that the company had not implemented security measures appropriate to the risk.

When calculating the maximum amount of an administative fine to be imposed on an undertaking, the definition of an undertaking used by the European Court of Justice in the application of Articles 101 and 102 of the TFEU should be used. What constitutes an undertaking must therefore be based on the concept of one economic entity. A parent company and a subsidiary are considered part of the same economic entity when the parent company exercises controlling influence over the subsidiary. The presumption is that one hundred percent or almost one hundred percent ownership creates a controlling influence.

IMY stated that Trygg-Hansa constitutes a branch of the Danish company Tryg Forsäkring A/S, which in turn constitutes a wholly owned subsidiary of Tryg A/S ("Tryg"). IMY therefore argued that, according to the presumption, the entire turnover of the Tryg group of companies should be the basis for calculating the maximum fine. IMY concluded that Trygg-Hansa is an economic entity with the Danish parent company because Trygg-Hansa's turnover is fully integrated with the turnover of the parent company, notwithstanding the existence of separate IT systems, IT organization, and management teams between the two companies.

To conclude, IMY found that Trygg-Hansa had not taken appropriate technical measures in accordance with Articles 32.1 and 5.1 (f) of the GDPR to ensure a level of security appropriate to the risk which resulted in an administrative fine.

Article provided by INPLP members: Fredrik Roos and Emily Svedberg-Possfelt

(Setterwalls Advokatbyrå Göteborg AB, Sweden)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)