Data has been stolen or leaked from my organisation

Once the security vulnerability has been blocked, it is important to plan what kind of possible more extensive changes should be made to the information system. Schedule and plan the technical changes together with the system supplier.   

As a result of a data breach and a data leak, you may have to

• recover data from a backup copy
• repair vulnerabilities
• update systems or reinstall them
• compensate for or acquire new devices
• change passwords. 

It is important to go through the processes and practices of your organisation to determine whether any changes are required in them.

It may be necessary for your organisation to 

• make sure that the data security and data protection requirements have been taken into account in the processes
• change the usual practices
• make the data security requirements stricter
• organise training on data security and data protection.

The criminal procedure proceeds from the reported offence to the consideration of charges

1. The police receive a report.
2. The police investigate whether there is reason to suspect an offence. 
3. If there is reason to suspect an offence, the police will conduct a pre-trial investigation. 
4. The pre-trial investigation determines the course of events in the suspected offence, the persons related to it, the benefit gained from the offence, the damages caused and the demands of the complainant, the victim. The pre-trial investigation can be interrupted if no one is suspected of an offence or it is not possible to get a clarification of the matter. 
5. After the pre-trial investigation, the consideration of charges follows. The prosecutor decides whether they will bring charges on the suspected offence of not. 
6. If charges are brought, the criminal case will be dealt with in court. At the end of the trial, the court will issue its decision on the case. Less serious criminal cases can also sometimes be dealt with in a written procedure.

Read more about the process of investigating a cyber crime in the publication of the Police University College and Jyväskylä University of Applied Sciences Cyber crime is a police matter‒ a guide to the cyber crime investigation process (in Finnish)Opens in a new window..

In certain cases, it is possible for an organisation to receive compensation for the costs caused by a data breach/data leak. The compensation may be 

• contractual compensation 
• compensations received from insurances
• compensations for damages.  

The organisation can demand contractual compensations from the system supplier if an entry on compensations has been recorded in the contract between the organisation and the system supplier. Typically, the possibility of contractual compensation in situations, in which the system supplier has not complied with the contractual obligations or has in some other way caused the data breach or data security risk, have been recorded in the contract. 

It is possible to take out insurances for data security breaches. The extent of the insurances varies: some insurances compensate for only the salary costs of the IT specialist needed to deal with the incident, while some insurances compensate also for the costs of business interruption and compensations paid to outsiders Some insurances also include expert help in data breach and data leak situations. 

If you suspect an offence such as a data breach, report an offence. In this case, you can submit claims for compensation for damages to the suspected offender.

Your customer may have the right to demand compensation for damage from your organisation if your organisation has violated the EU’s General Data Protection Regulation (GDPR). Read more about claiming compensation for damages for GDPR violations on the website of the Office of the Data Protection Ombudsman.Opens in a new window.

If an offence has been committed, your customer may demand compensation from the suspected offender. Read about compensation related to criminal damages on the Victim Support Finland (RIKU) website. Opens in a new window.

The General Data Protection Regulation (GDPR) regulates the processing of personal data. If the organisation does not comply with the GDPR requirements, the Office of the Data Protection Ombudsman may issue a warning, a caution or an order to the organisation, depending on the severity of the negligence. The Office may also restrict the processing of personal data by the organisation or impose a ban on processing it. 

In addition to or instead of other corrective measures, the supervisory authority may also impose an administrative fine which may be 4 per cent of the turnover or EUR 20 million at the most. 

Read more about the different sanctions and the powers of the Office of the Data Protection Ombudsman at tietosuoja.fi (in Finnish).Opens in a new window.

If you feel overwhelmed by the situation, you can always seek help from:

• your occupational health care provider
• the social welfare and crisis emergency services of your home municipality (link in Finnish)Opens in a new window.
• the Crisis Helpline of MIELI Mental Health FinlandOpens in a new window.
• Victim Support FinlandOpens in a new window.

You can also seek help from the health centre of your home municipality (link in Finnish)Opens in a new window..