In recent years data breaches have increased, both in numbers and intensity. Breaches of personal data have the potential to severely damage individuals, for example in case of credit card fraud or identity theft. To improve the security of personal data, the European legislator created a duty for people and corporation that process personal data (“data controllers”) to notify national data protection authorities and individuals (“data subjects”) in case of data breaches.
This duty to notify is included in the new General Data Protection Regulation, which is scheduled to enter into force in the near future. In anticipation of this EU Regulation a duty to notify data subjects and the data protection authority in case of a data breach will be introduced in the Netherlands on 1 January 2016. The goal of this new rule is to confirm and restore trust in controllers of personal data. As a result, it can be expected that existing contracts need to be reviewed and, where necessary amended.
The introduction of a duty to notify is relevant for all controllers and processors of personal data, for example those dealing with contracts between payroll agents and employees. In this newsletter we will provide answers to the following six questions data controllers might have on the new data breach notification: (i) What constitutes a data breach? (ii) Who has the duty to notify? (iii) What to do in case of a data breach? (iv) How can a proper level of security be acquired? (v) What if controllers do not comply with duty to notify? And (vi) What are the practical changes data controllers have to make?
1. What constitutes a data breach?
A data breach is a:
1. Breach of security;
2. with a high risk to result in a loss or unlawful processing of personal data;
3. which could damage the data subjects’ privacy or data privacy in general.
A breach of security does not necessarily result from faulty or lacking security measures for protecting personal data. Data breaches can also take place if sufficient security measures are in place, for example in case an IT-system is hacked or a laptop is stolen from a closed locker.
Not all cases in which personal data could have leaked will lead to a duty to notify. This duty only exists in case there is a reasonable risk the data breach leads to a loss or unlawful processing of personal data and this leads to a reasonable risk that the data subjects’ privacy or data privacy in general will be compromised. This is an assessment the controller has to make after detecting a data breach.
The question if the data breach leads to a loss or unlawful processing of personal data and to what extent the breach leads to infringement of the data subjects’ privacy or data privacy in general, has to be answered on a case-to-case basis. The nature of the breach and the nature of the data involved are taken into account.
2. Who has the duty to notify?
A similar duty to notify in case of data breaches already existed in the Netherlands for providers of telecommunication services. With the new law the duty to notify is introduced for all controllers of personal data who’s security has been breached, both in the private and the public sphere.
Data controllers often leave the processing of personal data to a third party (a data processor). In these cases the controller remains the responsible party for any data breaches that take place at the processor. This means the controller will have to make sure that the processor informs the controller in case of data breaches.
3. What to do in case of a data breach?
After a data breach the controller needs to take appropriate measures to limit the privacy infringement as much as possible, for example changing usernames and passwords in case these have been compromised. Furthermore, the controller has a duty to immediately notify the data protection authority and the data subjects of the data breach, although not every breach needs notification.
Notification of the data protection authority is only necessary in case there is a reasonable chance the data breach will lead to infringement of data privacy in general. Notification of the data subject is necessary in case there is a reasonable chance a data breach will lead to infringement of the privacy of the data subject. So far, it is not clear what constitutes a duty to only notify the data protection authority or only the data subject. It is hard to imagine circumstances in which data privacy in general is compromised, but not the data privacy of data subjects and vice versa.
The notification to both the data protection authority and the data subject need to include the nature of the data breach, the person or entity that can provide more information about the data breach and the recommended measures to keep the privacy infringement to a minimum.
Furthermore, the notification to the data protection authority has to contain a description of the identified and possible consequences of the data breach for the processing of the personal data, the measures the controller took or wants to take to prevent any (more) negative consequences of the data breach and whether or not the data subjects will be informed of the data breach.
The severity of the data breach and its consequences, the size of the group of data subjects who’s privacy could be infringed and the costs of notifying them are taken into account to determine if the data subjects have been properly notified of the data breach.
Data subjects do not have to be notified if the controller took measures that prevent unauthorised third parties to read the personal data involved, for example by encryption.
After being notified, the data protection authority will assess the notification and decide if further investigation is necessary and if any (further) extra measures have to be taken.
The data controllers also need to keep track of all the data breaches that have occurred in a log. This log contains the nature of the data breaches, the entity that provided information about the data breaches and the recommended measures they took to keep the privacy infringement to a minimum. It also contains the text of the notification that was send to the data subjects after the breach was detected.
4. How can a proper level of security be acquired?
The Dutch data protection authority published guidelines on security measures. These guidelines help data controllers to properly secure their personal data: https://cbpweb.nl/sites/default/files/downloads/rs/rs_2013_richtsnoeren-beveiliging-persoonsgegevens.pdf (only available in Dutch). These guidelines explain how the Dutch data protection authority measures the level of security of personal data and what is a sufficient level of protection in their opinion.
Other standards for data security that controllers could implement are NEN-ISO/IEC 27002:2013 and the security guidelines for web applications (ICT-beveiligingsrichtlijnen voor webapplicaties van het Nationaal Cyber Security Centrum van het Ministerie van Veiligheid en Justitie).
5. What if controllers do not comply with duty to notify?
If a data controller does not, or not fully comply with its duty to notify after a data breach, the Dutch data protection authority (College Bescherming Persoonsgegevens or CBP) can sanction the controller with a fine that could amount up to EUR 450.000,-.
A clear distinction has to be made between the administrative nature of the fine and the civil liability of the controller for damages resulting from the data breach. In case the controller has fully complied with its duty to notify, it could still be liable for the damages resulting from the data breach.
6. What are the practical changes data controllers have to make?
In practice, data controllers often use third parties to process personal data. These data processors and sub-processors need to comply with the same rules and standards of data security as the controller. Therefore, controllers have a legal obligation to enter into processing agreements with processors to make sure they provide an adequate level of security.
When controllers use processors, cooperation from these processors is required to comply with the duty to notify. Controllers can include the following stipulations in the processing agreement to ensure this cooperation:
1. Processor has to inform controller in case of breaches in their security;
2. Processor is liable for the damages (including fines) resulting from breaches in their security;
3. Processor guarantees an adequate level of data security;
4. Controller is allowed to perform audits at processor to confirm its compliance with data protection rules;
5. Processor logs information on the breaches in their security.
Furthermore, controllers and processors have to agree on who decides if notification is necessary, who is responsible for notifying the data protection authority and data subjects and who takes which measures to prevent further harm. This can also be included in the processing agreement.
Data controllers and processors can also include the duty to notify in their business protocols for more efficiency. They can, for example, indicate a responsible party within their organisation for any and all data breaches, usually the data protection officer or somebody from the legal department. This party can handle data breaches in a standardized manner, limiting the risk of a fine.
In this blog we discussed six general questions on data breach notifications. In case you need further advice on the duty to notify or on the protection of personal data, please feel free to contact us at +31 (0)20 3109980 or at firstname.lastname@example.org.
This publication is provided by Merit Advocaten & Adviseurs as a service to clients and colleagues. The information contained in this publication should not be construed as legal advice. Questions regarding the matters discussed in this publication may be directed to any of our lawyers listed on the site or to any other Merit Advocaten & Adviseurs lawyer with whom you have consulted in the past on similar matters. If you have not received this publication directly from us, you may obtain a copy of any past or future related publications from Merit Advocaten & Adviseurs.