3 February 2016
Anyone who discovers a potential data breach will have to carry out an investigation quickly and may also have to notify the authorities and affected individuals.
Employees of the ICT Service Desk are on the alert for potential data breaches, such as: loss of a USB flash drive, theft of a laptop or an intrusion by a hacker and shall report security breaches via email to email@example.com. In urgent cases, call the CERT-UT employee on duty.
CERT-UT registers every report in the AIRT (Application for Computer Security Incident Response) system. This is a workflow application used by CERT-UT to keep a record of security breaches and incidents. CERT-UT then contacts the notifier for additional information about the report.
The CERT-UT employee on duty carries out a first analysis. In case of personal data, the incident is reported to the Security Manager (LISA), Data Protection Officer (FG) and Privacy Contact Person (PCP) of the unit. The security incident is assigned a type, making it identifiable as a privacy incident. CERT-UT takes care of handling the security incident, for which evidence or information for processing the data breach is stored in a safe environment. The Security Manager takes care of handling the privacy incident.
Together with the FG and the PCP, the Security Manager (LISA) assesses as to whether the incident must be reported to the Authority for Personal Data, and possibly also to the party concerned. If it is concluded that the incident must be reported to the Authority for Personal Data (AP), then the Security Manager shall first contact the secretary of the university prior to filing the report.
Reports to the AP are submitted by the Security Manager (LISA), at which time the status in AIRT is updated. If notifying the parties concerned is necessary, this shall be done by the PCP.
For a detailed description of the assessment as to whether a report should be filed, see the Policy of the Authority for Personal Data. The diagram below shows a summary of these assessments.
Security breach => Has a security incident occurred? =>Security incident => Were personal data lost during the security incident or can unlawful processing of the personal data not be reasonably excluded? => Data breach => Does it concern personal data of a sensitive nature or is there a significant risk of serious adverse consequences for the protection of the processed personal data due to other reasons? =>Report to Authority for Personal Data => Were not all breached data (properly) encrypted or it is likely that the data breach will have adverse consequences for the privacy of the party concerned? => Report to the party concerned.
It only constitutes a data breach if a security incident has actually occurred. An example of a security incident is the loss of a USB flash drive, theft of a laptop or an intrusion by a hacker.
Not every security incident constitutes a data breach, however. It constitutes a data breach if personal data were lost during the security incident or if unlawful processing of the personal data cannot reasonably be excluded.
If there is only a weakness in security, this is referred to as a security breach and not a data breach. In such cases, there is no duty to report to the Authority for Personal Data.
Not every data breach is to be reported to the Authority for Personal Data. According to the law, a report should be filed with the Authority for Personal Data if the data breach results in a significant risk of serious prejudicial consequences for the protection of personal data.
The Data Protection Act applies a broad definition of personal data. Any data that is traceable to a natural person is considered personal data. This includes names, addresses, licence plates, telephone numbers, IP numbers, e-mail addresses, biometric identifiers, a combination of specific preferences.
A key factor in this respect is the nature of the breached personal data. If personal data of a sensitive nature have been breached, reporting is generally required. Personal data of a sensitive nature include:
- Special personal data within the meaning of Article 16, Personal Data Act
This concerns personal data relating to a person's religion or beliefs, race, political affinities, health, sexual preferences, trade union membership, and criminal data and personal data relating to unlawful or objectionable conduct in connection with a ban imposed following such conduct.
- Information on the financial and economic situation of the party concerned.
This includes information on (problem) debts, payroll and payment information.
- (Other) information that may result in stigmatisation or exclusion of the party concerned. This includes information on gambling addiction, performance at school or employment or relationship problems.
- User names, passwords and other login details
Possible consequences for the parties involved depend on the processing operations and on the personal data the login details give access to. The assessment should consider the fact that many people reuse passwords for different processing operations.
- Data that may be misused for (identity) fraud
This concerns, for example, biometrics, copies of identity documents and the Citizen Service Number (BSN).
Other factors such as the extent of breached personal data per person or the number of parties whose personal data have been breached, may be a cause for reporting the data breach. Note, however: if the nature of the breached data gives cause to do so, it may even be possible that a data breach involving the personal data of only one person will have to be reported.
Such report must be filed without undue delay and where possible within 72 hours after discovery of the data breach. A web form for this purpose is available on the website of the Authority for Personal Data. The report may be supplemented or withdrawn at a later stage by using this web form.
If a data breach must be reported to the Authority for Personal Data, this does not automatically mean that the party concerned must also be notified of this data breach. According to the guidelines provided in the law, the data breach should be reported to the party concerned if the data breach is likely to prejudicially affect their personal privacy.
The law stipulates that notification to the party concerned must occur without delay, allowing the party concerned, following notification, to implement measures to protect themselves against the consequences of the data breach. The sooner the party concerned is informed, the sooner it can take action.
If appropriate technical protection measures (such as encryption and hashing) have been taken, as a result of which the personal data are incomprehensible or inaccessible to unauthorised parties, such notification to the party involved may be omitted.
Once the Authority for Personal Data and the parties concerned have been notified, the duty to inform has been complied with and the Security Manager will close the privacy incident.
If necessary, CERT-UT will further investigate the causes and tighten security. Once this process has been completed, CERT-UT will close the security incident.
Security Managers shall keep a record of all reported data breaches and their current status.
Reporting on data breaches will be included in the quarterly report on security that is prepared monthly by the Security Manager of LISA.