The background to the decision includes the fact that If has sent sensitive personal data via e-mail without adequate safety measures. If used encryption in transit, but the e-mail was not encrypted the entire time from sender to recipient (so-called end-to-end encryption).
After the incident, If has improved its safety standards where the insurance company has developed and launched a new way of communicating with their customers. Thus, the customers can access messages under “My profile”, which requires safe log-in with Swedish BankID (a two-step authentication).
Due to the safety measures taken after the incident, IMY “only” issues a reprimand against the company.