A Finnish court has imposed a three month suspended sentence on the former CEO of a psychotherapy firm that experienced a major personal data breach.

The psychotherapy firm was targeted by a ransomware attack, which resulted in sensitive health data being published on the dark web. Prosecutors claimed that the former CEO’s actions were intentionally or grossly negligent as he did not ensure that the personal data processed by the firm was adequately protected. The court found the former CEO criminally liable for failing to comply with GDPR security requirements in terms of the pseudonymisation and encryption of patient data.

The court held that a fine would not be sufficient in this case and therefore imposed the suspended sentence.

While failing to implement appropriate security measures is unlikely to lead to imprisonment under Irish data protection law, prison sentences are possible for certain infringements of the Irish Data Protection Act 2018 (the “2018 Act”), for example for conviction of the offence of disclosure of personal data without authority of the controller or processor pursuant to Section 145 of the 2018 Act.

It is also notable that, in accordance with Section 146 of the 2018 Act, where an offence under the 2018 Act is committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, a person being a director, manager, secretary or other officer of the body corporate or a person who was purporting to act in any such capacity, that person, as well as the body corporate, shall be guilty of that offence and shall be liable to be proceeded against and punished as if he or she were guilty of the first-mentioned offence.