What to do in case of a data leak in your organisation. Duty to report?
Most likely every organisation will be faced, some time, with loss, theft or misuse of personal data (data leaks). This might be the result of hacking or of your own mistakes or negligence. The black book ‘Bits of Freedom’ provides a list of incidents like these.
The question is what action should be taken if personal data have become public knowledge or if someone has logged in without being authorised to do so.
Providers of public electronic communication services or networks have a duty to report a breach of their security to the Netherlands Authority for Consumers & Markets (ACM). Any infringements that affect the protection of personal data that have been processed for the delivery of electronic services in the EU must be reported to the ACM without delay. The infringements must also be reported to the parties involved if the protection of their privacy is compromised. The notification should at least contain the nature of the infringement, the name of the contact person for further information and the measures envisaged to limit the adverse consequences of the infringement. The provider must keep any and all infringements on file.
Pursuant to the Personal Data Protection Act the party responsible for processing personal data must inform the party involved about, among other things, the purpose of processing the data, the details that will be processed, how long the processing will take, who the data will be provided to, etc. This can be interpreted as including a duty to report.
Draft legislation on data leaks requires the party responsible for processing personal data to report security breaches to the Dutch Data Protection Authoritywithout delay. Reporting should always take place if the breach may lead to a considerable risk of adverse consequences for data protection and privacy protection.The draft European Privacy regulation sets a 24-hour term for the party processing the data to report security breaches. This independent statutory obligation for the data processor is not included in the national draft legislation.
The national draft legislation seeks to establish a link with the Telecommunication Act. In order to prevent an overlap between the Telecommunication Act and the Personal Data Protection Act, a provision is included which stipulates that the Personal Data Protection Act will not apply for providers of electronic communication services that have already reported infringements under the Telecommunications Act.
The Dutch Data Protection Authority may impose a fine amounting to € 450,000 in case of a violation. Furthermore, the Dutch Data Protection Authority is to replace the ACM as supervisory authority for the duty to report. All of this in line with the European Privacy regulation, which will enter into force in 2016. In the meantime a national duty to report will probably apply.
As the party responsible for data protection, you should primarily see to it that data protection measures have been taken as prescribed by law and that these measures are complied with. Infringement does not only take place if security fails altogether, there may also be a duty to report if security is not up to standard, for example if passwords are not treated with care, if letters or emails are wrongly addressed, if confidential documents, laptops, mobile phones, memory sticks, etc. are lost.
Reporting contingency plan
A contingency plan is important; security breaches can then be reported to the Dutch Data Protection Authority and any parties involved without time being lost – this to avoid liability and fines. Under a proper contingency plan should a team should be formedconsisting of employees, a privacy lawyer and an expert in the field of data protection who together make swift decisions.
As yet the draft legislation has not taken effect and there is no duty to report security breaches. However, reporting breaches to the parties involved will probably be wise, not only because it might be seen as being in violation of the generally accepted standard of care not to do so but also because you may run the risk of being held liable for damages. Insurance companies such as Chubb offer insurance policies to cover the expenses incurred by reporting security breaches.
A report to the parties involved should include a detailed description of the nature of the infringement, which information has (possibly) been lost and what is being done to solve the problems and to mitigate the damage. Furthermore, reference should be made to a contact person and what measures the parties involved can take to restrict their losses.
A press report might also be important. You should carefully formulate without losing on transparency and try to prevent further damage to your image. By being transparent and by acting adequately you may restore confidence.
Of course we will be happy to help!