Sweden: DPA fines Umeå University (~53,000 EUR)

Very interesting case involving sensitive personal data that

  • was shared via unencrypted email (which was pointed out to the university, but was not reported as an incident)
  • stored on box.com, protected only by username/password, despite the fact that the University’s risk assessment didn’t support this – and in violation to internal published policies

(I hope I read the documents correctly..)

Press release: