CYBER EXTORTION

Expert group appointed to prevent massive data breaches like Vastaamo's

The work of the experts will focus on critical areas for society such as health, financial markets, energy and water supply and transport services.

A scandal like the one caused in Finland by the recent theft and massive leakage of sensitive data of 40,000 patients from the private psychotherapy center Vastaamo cannot be repeated.

Many patients from psychiatry and psychology services have seen their personal data and the content of their therapy sessions published in the encrypted Tor network, in what may be the biggest data breach in Finnish history. In parallel, hackers have subjected the company and the victims to aggravated blackmail.

Most of the victims were sent to this private psychotherapy center from the public health system, which outsourced the therapy services to Vastaamo.

All of this is too much for a country like Finland, which claims to be at the forefront of digitization and data security. Many things have gone wrong and the public authorities want to prevent it from happening again.

State responsibility?

With that idea in mind, and while many victims wonder if the state authorities failed in their duty to ensure that their data was safe, the Government has just appointed a group of experts whose job will be to suggest the changes that are necessary so that no other critical sector can be seen affected by similar criminal acts.

On 9 November 2020, the Ministry of Transport and Communications announced the appointment of a working group to identify needs to amend the legislation on information security and data protection in sectors of key importance for the functioning of society and to submit a proposal to the Government for policy guidelines on them.

The aim is to increase the level of information security in Finnish society and to ensure that the citizens' data is better protected than presently.

"One reason for setting up the working group is a recent data breach against a service providing psychotherapy services. It showed that there are critical information systems in Finland in which information security and data protection have not been adequately ensured," the Ministry admitted in a press release.

Focus on critical sectors

The study will focus on key sectors of society, such as health care, financial markets, energy supply, water supply and transport services. Further areas included in the study are Finland's digital infrastructure as well as information systems essential for the functioning of public administration.

The assessment should be as concrete as possible and focus, in particular, on the powers and supervision of the authorities. The working group is also expected to provide as accurate an assessment as possible of the operator-specific or information system-specific resources currently allocated to information security tasks as well as the expertise of the personnel on the matters. The task of the working group is to analyse the effects and calculate the costs of the proposed measures and the additional resources needed.

The group will be chaired by Laura Vilkkonen, Director-General at the Ministry of Transport and Communications.

In addition to representatives of the Ministry of Transport and Communications, the working group has members from the Ministry of Agriculture and Forestry, Ministry of Justice, Ministry of the Interior, Ministry of Social Affairs and Health, Ministry of Economic Affairs and Employment, Ministry for Foreign Affairs and Ministry of Finance.

The group members also include the Cyber Security Director as well as representatives from the Cyber Security Centre of the Transport and Communications Agency, the Emergency Supply Centre, the National Police Board and the Office of the Data Protection Ombudsman are also presented in the group.