Go directly to contents.
What should I do?

Data has been stolen or leaked from my organisation

Consider the following after the most acute situation

Make the necessary changes to the information systems

Once the security vulnerability has been blocked, it is important to plan what kind of possible more extensive changes should be made to the information system. Schedule and plan the technical changes together with the system supplier.   

As a result of a data breach and a data leak, you may have to

  • recover data from a backup copy
  • repair vulnerabilities
  • update systems or reinstall them
  • compensate for or acquire new devices
  • change passwords. 
Updated: 25/3/2022

Make the necessary changes to your organisation’s processes

It is important to go through the processes and practices of your organisation to determine whether any changes are required in them.

It may be necessary for your organisation to 

  • make sure that the data security and data protection requirements have been taken into account in the processes
  • change the usual practices
  • make the data security requirements stricter
  • organise training on data security and data protection.
Updated: 29/11/2021

How the criminal procedure progresses

The criminal procedure proceeds from the reported offence to the consideration of charges

  1. The police receive a report.
  2. The police investigate whether there is reason to suspect an offence. 
  3. If there is reason to suspect an offence, the police will conduct a pre-trial investigation. 
  4. The pre-trial investigation determines the course of events in the suspected offence, the persons related to it, the benefit gained from the offence, the damages caused and the demands of the complainant, the victim. The pre-trial investigation can be interrupted if no one is suspected of an offence or it is not possible to get a clarification of the matter. 
  5. After the pre-trial investigation, the consideration of charges follows. The prosecutor decides whether they will bring charges on the suspected offence of not. 
  6. If charges are brought, the criminal case will be dealt with in court. At the end of the trial, the court will issue its decision on the case. Less serious criminal cases can also sometimes be dealt with in a written procedure.

Read more about the process of investigating a cyber crime in the publication of the Police University College and Jyväskylä University of Applied Sciences Cyber crime is a police matter‒ a guide to the cyber crime investigation process (in Finnish)Opens in a new window..

Updated: 7/12/2021

Who pays compensation to the organisation?

In certain cases, it is possible for an organisation to receive compensation for the costs caused by a data breach/data leak. The compensation may be 

  • contractual compensation 
  • compensations received from insurances
  • compensations for damages.  

The organisation can demand contractual compensations from the system supplier if an entry on compensations has been recorded in the contract between the organisation and the system supplier. Typically, the possibility of contractual compensation in situations, in which the system supplier has not complied with the contractual obligations or has in some other way caused the data breach or data security risk, have been recorded in the contract. 

It is possible to take out insurances for data security breaches. The extent of the insurances varies: some insurances compensate for only the salary costs of the IT specialist needed to deal with the incident, while some insurances compensate also for the costs of business interruption and compensations paid to outsiders Some insurances also include expert help in data breach and data leak situations. 

If you suspect an offence such as a data breach, report an offence. In this case, you can submit claims for compensation for damages to the suspected offender.

Updated: 1/12/2021

Who compensates for the damage to the customer?

Your customer may have the right to demand compensation for damage from your organisation if your organisation has violated the EU’s General Data Protection Regulation (GDPR). Read more about claiming compensation for damages for GDPR violations on the website of the Office of the Data Protection Ombudsman.Opens in a new window.

If an offence has been committed, your customer may demand compensation from the suspected offender. Read about compensation related to criminal damages on the Victim Support Finland (RIKU) website. Opens in a new window.

Updated: 2/12/2021

What sanctions may result from violations of the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) regulates the processing of personal data. If the organisation does not comply with the GDPR requirements, the Office of the Data Protection Ombudsman may issue a warning, a caution or an order to the organisation, depending on the severity of the negligence. The Office may also restrict the processing of personal data by the organisation or impose a ban on processing it. 

In addition to or instead of other corrective measures, the supervisory authority may also impose an administrative fine which may be 4 per cent of the turnover or EUR 20 million at the most. 

Read more about the different sanctions and the powers of the Office of the Data Protection Ombudsman at (in Finnish).Opens in a new window.

Updated: 30/11/2021

Where can I get support for coping with the situation?

Updated: 29/11/2021

Are you satisfied with the content on this page?