It’s encouraging to see breach notification deadlines taken seriously. The Norwegian Data Protection Authority has imposed a monetary penalty of NOK 2.5 million on Argon Medical Devices for breaching Article 33 (1) of the GDPR. That article requires controllers to notify the regulator of a personal data breach within 72 hours.
According to Datatilsynet (the Norwegian DPA), in July 2021, Argon Medical Devices discovered a security breach affecting their EU employees but did not notify the regulator until September 2021, long after the 72-hour deadline for reporting.
The decision summarizes the timeline and issue:
On 24 September 2021, Argon Medical Devices, Inc. (“Argon”, “you”, “your”, the “company”) submitted a personal data breach notification to Datatilsynet pursuant to Article 33(1) GDPR.
Such notification concerned a cyber security incident that Argon experienced between 21 May and 14 June 2021, which affected the personal data of all of Argon’s European employees, including one employee in Norway.
Further to an inquiry into this matter, Datatilsynet found that Argon became aware of the personal data breach in question at least on 19 July 2021, and that it notified the breach to Datatilsynet 67 calendar days after that date, thus well beyond the statutory deadline imposed by Article 33(1) GDPR for personal data breach notifications.
In light of the above and for the reasons outlined below, Datatilsynet issues an administrative fine of NOK 2 500 000 (two million and five hundred thousand) against Argon for having infringed Article 33(1) GDPR.
It is instructive to read the full decision for more details about how the DPA interprets Article 33 of the GDPR on notification and Argon’s failed arguments that the delay was justified.
The decision is clear:
Argon’s notification should have taken place “not later than 72 hours” after 19 July 2021. Hence, it should have taken place not later than Thursday 22 July 2021,82 in particular as Argon could not confirm within that date that the breach was unlikely to result in a risk to the rights and freedoms of natural persons. Instead, Argon notified Datatilsynet on 24 September 2021, over two months outside the 72 hours timeframe set out in Article 33(1).
Argon’s defenses were the types of explanations we often read here that DataBreaches has been unsympathetic to, such as using the date a forensic investigation was completed as date of discovery.
In reviewing aggravating and mitigating factors, Datatilsynet also noted that taking a month to determine that personal data was involved was an aggravating factor, not a mitigating one:
Another aggravating factor is the fact that—as outlined above—Argon not only notified the breach to Datatilsynet with a considerable delay from the moment when it became aware of the personal data breach (i.e., at least on 19 July 2021); it also took Argon over a month to find out that personal data had been compromised after it first detected the security incident. This factor should be weighed against Argon in the present case.
In its written representations, Argon argued that “the timeline for the forensic investigation should not be considered an aggravating factor in the circumstances”.145 We take note of this argument, but we find it unconvincing. Although the GDPR required Argon to implement all appropriate technical protection and organisational measures to “establish immediately”146 whether a breach has taken place and to inform promptly the supervisory authority and the data subjects, Argon took measures to assess whether personal data were affected by the incident only in July 2021,147 even though it was aware of the incident since 14 June 2021.148
The regulator notes the misleading date of discovery Argon suggested in its opening statement of their notification:
The infringement contested in the present case—which concerns a failure to notify on time, and not a failure to notify as such—became known to Datatilsynet after a careful scrutiny of Argon’s very lengthy and detailed notification. Such a notification did not inform Datatilsynet of the delay. On the contrary, its introductory statement was misleading in that it said that “Argon only became aware [of a personal data breach within the meaning of the GDPR] on 21 September 2021”,138 and thus a superficial reading of the notification could have led the authority to believe that the notification was submitted on time three days later, on 24 September 2021. Therefore, the infringement became known to Datatilsynet only after and due to a careful assessment of the notification and the inquiry that followed it. This factor should be weighed against Argon.
American firms that do business in the EU should take special note of this case (and the results of any appeal, if one is filed) because any breach that is reportable to EU regulators under Article 33(1) of the GDPR could result in fines to them if they fail to understand and/or fully comply with a 72-hour deadline to notify and how regulators define date of discovery for those purposes.