Last week I went to a fair about Information Security. I signed up for two presentations about an adjustment in the law 'Wet bescherming persoonsgegevens (Wbp)' called 'meldplicht datalekken'. This law obligates organizations from January 1st 2016 to report data breaches that affect personal data to the 'College Bescherming Persoonsgegevens (CBP)' and the persons affected. The presentations were very interesting, so why not share my obtained knowledge with you.
What does the law about reporting data breaches enclose?
The law obligates organizations to report data breaches to the CBP. But what is a data breach? And when do you have to report? To who and what to say? Common questions, butthe answers aren't that clear. It depends on your individual situation. Let's clarify this with some examples.
What is a data breach?
According to the CBP: "A data breach is defined in the Data Protection Act (in Dutch: Wbp) as "an infringement on security (Article 34a, paragraph 1 WBP)". So, now you know.
Well... I don't understand it yet, so I searched for some clarification. What the CBP means with a data breach, for example, is one of the following situations:
- illegal processing of personal information;
- unauthorized access to personal information;
- loss of devices which contain personal information.
All situations where personal information is, or probably is, exposed and can be used for purposes it was not intended for.
When do you have to report?
You have to report when one of the previous situations unfortunately have become real. Let me remind you that the presumably exposed data has to make sense! In other words, when the data breach contains data that is unreadably because it's encrypted, than you do not have to report to the affected persons, but you do have to report to the CBP! The law is introduced to protect personal information, so when that information is not making any sense due to hashing, or the like, than the persons affected are not in danger, according to the CBP. Naturally, this merely is valid in situations when the decryption keys were not leaked or exposed and you have encrypted the data in a safe manner with one of the standard algorithms, published by the European Union Agency for Network and Information Security (ENISA).
Also, you have to report within two working days, thus weekends and holidays are excluded. That sounds kinda weird to me. As if people aren't in possible danger in weekends or when it's Christmas time, for instance. Oh, of course..! On Christmas eve malicious people are busy eating their Christmas turkey as well. How silly of me.
To whom do we have to report?
As organization, you have to report your bad news to two parties:
- The CBP and
- the person(s) affected (how to report is not specified).
The CBP registers your notification in a central register, which is not publicly accessible. They keep track of how many reports are received per organization and when they feel you report too many data breaches, you will get a fine.
What do we have to report?
It's quite a bit, what you have to report. The CBP will offer a web form to report your data breach, which you can fill out. In addition, you have to notice the affected persons about the possible danger they may be in and, for instance, to spread a call to change passwords. Some examples in short:
Report to CBP:
- Nature of the infringement;
- Date and time;
- Consequences (such as possible identity theft or financial loss);
- Measures already taken (such as a call to change passwords or closing ports).
Report to affected person(s):
- the nature of the infringement;
- the instances where the person can learn more about the infringement and;
- the measures you recommend the person to take to minimize negative effects of the infringement.
What if you don't report?
When you do report, you receive an acknowledgement (hooray!) and your notification will be added to a central register. The CBP judges your data breach and if they decide further action is needed, they will contact you.
When you do not report, your hands will be chopped off. No, just kidding, it's something more nerve wracking... You will gradually receive an 'administrative fine' of up to € 20.250,-. The CBP will judge cases individually, so the actual fine will be a surprise.
At the same time, when you do not report, it is likely that the data breach will have a negative effect on the persons concerned. Their data has been stolen and can be used for inappropriate purposes. Imagine that passwords were stolen. This can have huge effect on people's lives, since a lot of us still use one password for multiple accounts. So the chance that malicious people open more than one door with a single key is very likely.
Keep your eyes open and walls shut
This was what I wanted to share with you and I hope you now have a clear view of what the law about reporting data breaches practically means. Have some fun with exploring the law in more detail at the CBP's site. And for now, keep your eyes open and your walls shut.