Accusations Surface That Norway Data Breach Failed Notification Laws Drew Wilson | January 27, 2018 There’s been some fallout over the Norway data breach. Accusations are surfacing that the breach may have violated European breach notification laws. Last weekend, we brought you news that said that 2.9 million Norwegian medical records may have been compromised by hackers. For those keeping track, this represents half the population for the country. Officials acknowledged the breach describing it as “professional”. Officials also say that an investigation is underway. Of course, when a data breach exposing half the population of a country occurs, it doesn’t go unnoticed. A European law known as General Data Protection Regulation (GDPR) is being examined in relation to this breach. The law is said to take effect on May 25 later this year. The law stipulates that if a breach occurs, an organization has 72 hours to notify affected users. The problem here? Norwegian healthcare authorities waited a full week before notifying those affected by this breach. Computer Weekly reports: Some security commentators said the incident should be a wake-up call for organisations planning to comply with the EU’s General Data Protection Regulation (GDPR) by 25 May 2018, while others have called for improved collective defence. On 15 January 2018, Health South-East RHF, a healthcare organisation that manages hospitals in Norway’s southeast region, confirmed that that healthcare records of 2.9 million citizens may have been exposed, seven days after being notified of the breach by HelseCERT, the country’s computer emergency response team for the healthcare sector. “This is a serious situation and measures have been taken to limit the damage caused by the incident,” said Health South-East RHF and Sykehuspartner HF in a joint statement. In a standard face-saving statement, Health South-East RHF said the attacker appeared to be “an advanced and professional player”, and that it has taken measures to limit the impact of the breach, but gave no further details. The catch to all of this is that the laws don’t yet take effect for another couple of months, so any potential consequences might be more limited. Still, some might point out that this latest breach is yet further justification for data breach notification laws. With breaches seemingly happening continuously both in the public and private sector, more and more are looking for ways to safeguard their personal information including through legislation. This month alone, there have been a number of major data breaches. This includes the 2 million exposed in the Jason’s Deli breach, the 100,000 exposed in the latest Bell Canada breach, the 20,000 exposed in the SinVR data leak, and the second biggest data breach of all time where 1 billion people were exposed in the Aadhaar data breach. You could be forgiven for thinking it is seemingly a free-for-all for identity thieves these days. What we do know is that this is definitely not the end to the Norway data breach story. We’ll keep an eye on things to see if anything new develops in this story. Drew Wilson on Twitter: @icecube85 and Google+.