Norway: Ruling in investigation into Argon Medical Devices regarding cybersecurity incident and Late Reporting

On 8 March 2023, the Norwegian Data Protection Authority (Datatilsynet) concluded its inquiry into Argon Medical Devices, Inc. (Argon) over a cybersecurity incident. On 24 September 2021, Argon notified Datatilsynet of a cybersecurity breach that occurred between 21 May 2021 and 14 June 2021. Datatilsynet found that Argon notified of the incident 62 calendar days after it occured, causing Argon to violate Article 33(1) of the GDPR, which requires incident reporting without undue delay. Therefore, a fine of NOK 2'500'000 was imposed.