The impact of the personal data security breach notification law

Similar documents
Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia

The potential legal consequences of a personal data breach

A practical guide to IT security

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

COMPLIANCE ALERT 10-12

KEY STEPS FOLLOWING A DATA BREACH

Guidance on data security breach management

Privacy and Electronic Communications Regulations

How-To Guide: Cyber Security. Content Provided by

Operational Risk Publication Date: May Operational Risk... 3

Guidance on data security breach management

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

BRING YOUR OWN DEVICE. Protecting yourself when employees use their own devices for business

Data Security Breach Management - A Guide

Data Breach and Senior Living Communities May 29, 2015

Cyber Security Issues - Brief Business Report

So the security measures you put in place should seek to ensure that:

"choose your own device" : the employer still provides the hardware and the employee can choose e.g. the model.

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act

Personal Information Protection Act Information Sheet 11

The HITECH Act: Protect Patients and Your Reputation

Solutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

ACE Advantage PRIVACY & NETWORK SECURITY

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Managing Cyber Risk through Insurance

General Terms and Conditions of ICTRecht

Small businesses: What you need to know about cyber security

Community First Health Plans Breach Notification for Unsecured PHI

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

2012 NCSA / Symantec. National Small Business Study

OCR UPDATE Breach Notification Rule & Business Associates (BA)

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

HIPAA Privacy Breach Notification Regulations

Hengtian Information Security White Paper

Office 365 Data Processing Agreement with Model Clauses

Data Protection Breach Management Policy

The supplier shall have appropriate policies and procedures in place to ensure compliance with

005ASubmission to the Serious Data Breach Notification Consultation

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

20. Exercise: CERT participation in incident handling related to Article 4 obligations

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

Policy Outsourcing and Cloud Based File Sharing

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Small businesses: What you need to know about cyber security

HIPAA compliance audit: Lessons learned apply to dental practices

Datacenter Hosting - The Best Form of Protection

What Data? I m A Trucking Company!

HIPAA Security Alert

Encrypting Personal Health Information on Mobile Devices

Cyber Risks in Italian market

Applying the legislation

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

Information Technology Services Guidelines

Follow the trainer s instructions and explanations to complete the planned tasks.

Wellesley College Written Information Security Program

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Privacy Law Basics and Best Practices

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Nine Network Considerations in the New HIPAA Landscape

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

COMMISSION REGULATION (EU) No /.. of XXX

The HR Skinny: Effectively managing international employee data flows

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

Cyber Insurance Presentation

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

FACT SHEET: Ransomware and HIPAA

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Mitigating and managing cyber risk: ten issues to consider

Guidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology

HIPAA Compliance and the Protection of Patient Health Information

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

HPE STATE MODEL CLOUD COMPUTING SERVICES SPECIAL PROVISIONS (Software as a Service)

How To Protect Your Credit Card Information From Being Stolen

Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You

Clause 1. Definitions and Interpretation

DATA AND PAYMENT SECURITY PART 1

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

PRIVACY BREACH MANAGEMENT POLICY

Cyber Security - What Would a Breach Really Mean for your Business?

APPROPRIATE USE OF INFORMATION POLICY 3511 TECHNOLOGY RESOURCES ADOPTED: 06/17/08 PAGE 1 of 5

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

Technology Risk Management

HIPAA Security COMPLIANCE Checklist For Employers

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

The Recover Report. It s business. But it s personal.

How To Protect School Data From Harm

Transcription:

ICTRECHT The impact of the personal data security breach notification law On 1 January 2016 legislation will enter into force in The Netherlands requiring organisations to report personal data security breaches. Any loss, theft or unauthorized access to personal data constitutes a security breach, which must be reported if the impact is severe. And that s not all. Culpably allowing personal data to leak, neglecting the obligation to notify a breach, or processing personal data unlawfully, may result in penalties up to 810,000 or 10% of annual turnover per violation. What does this mean for your organisation? 1. What is a personal data security breach? According to the law, a personal data security breach has occurred when personal data was lost or processed unlawfully. Unlawful processing includes unauthorised access to or modification of such data. Therefore, the definition of a breach may be broader than you might think intuitively, and certainly is not limited to events where hacking is involved. Leaving a USB flash drive containing personal data behind in the train or sending emails with addresses displayed in the CC field instead of the BCC field also qualifies as a personal data security breach. In fact, even a data centre fire causing a loss of personal data would qualify as such a breach if there is no backup available. Breaches involving the loss or theft of data other than personal data are not relevant to this law, because they are not personal data breaches. So if someone steals the source code for your new software or copies a list of company names from your customer relations management system, it falls outside the scope of this law. Be aware, however, that you may be contractually obliged to report such breaches. As a professional organisation, it s up to you to take the proper security measures to prevent breaches from occurring. For instance, by using reliable encryption techniques, backup policies and audit trails. 2. When are you required to report a breach to the supervisory authority? t all personal data security breaches need to be reported. The law requires notification of a breach only if its impact is severe. A breach is deemed to be severe if it involves a large amount of data (quantitative severity), but also if it concerns particularly sensitive data (qualitative severity). Some examples from the second category are: login details; financial data; copies of identity documents; school or work results or performance assessments; data relating to personal beliefs; data relating to health. Severe breaches must be reported to the supervisory authority within two business days. ICTRecht B.V. Sarphatistraat Amsterdam 610-612 T 1018 +31 (0)20 AV Amsterdam 663 1941 T I +31 ictrecht.nl (0)20 663 1941 I E ictrecht.nl info@ictrecht.nl E info@ictrecht.nl

3. When are you required to report a breach to those affected? If the breach is likely to have adverse consequences for the private lives of individuals whose data was lost or processed unlawfully, you are required to report the incident not only to the supervisory authority but also to those individuals, within two business days. In most cases, these people are customers or employees. Adverse consequences can include: identity fraud; discrimination; reputational damage. In cases of quantitative severity (see previous question), it will likely be required to notify all potentially affected data subjects, because in most cases it will not be clear beforehand which of the potentially affected data subjects will actually suffer adverse consequences from the breach. 4. When is reporting a breach not required? Quantitatively and qualitatively severe breaches (as described in section 2) must always be reported to the supervisory authority. It makes no difference whether the leak arose from an error or was due to circumstances that were beyond your control (force majeure). However, breaches do not need be reported to those affected if the leaked personal data are unreadable. For example, if the personal data are encrypted or if they can be deleted remotely from a stolen laptop. Of course, in such cases you must be certain that no one has been able to access the data. The burden of proof will be on you in this case. It is up to you to ascertain whether you are required to report a breach to the supervisory authority and/or the persons affected. However, if you misjudge the situation and do not report a breach when you should, you can be penalised for that, too. 5. What is the procedure for reporting a breach? The supervisory authority has a standard form for reporting breaches. If a breach has occurred, you must fill in this form and submit it to the personal data protection authority. The completed form will then be saved in the authority s register, which is not public. In the event that a penalty is imposed in connection with the breach, this decision will be public. Naturally, a breach will also become public the moment the persons affected are notified. 6. Which information about breaches are you required to keep? When you report a personal data security breach to the supervisory authority, you must keep an overview containing all the facts and details of the leakage in your own records. Among the details to be recorded are the cause of the breach, the type of data that were compromised, when the breach was discovered and how it was closed. If you also notified the persons affected of the breach, it s vital to save all the relevant communications. You are required to retain all of this information for at least one year. Contractual arrangements should be made for this in the data processing agreement between the controller and the processor (see question 8).

7. What impact will the law have? From 1 January 2016, failure to comply with the law can result in an administrative penalty. Situations in which a penalty can be imposed include: failure to report a breach when required; failure to have proper security measures in place; processing personal data without permission or other legally valid basis; exporting personal data to countries outside the EU without making the proper arrangements. Penalties can be as much as 810,000 or 10% of annual turnover. In most cases, a warning will be issued initially, but the supervisory authority may decide to impose a penalty immediately in the event of an intentional act or gross negligence. 8. Are data processors required to report breaches? Many organisations outsource the processing of some personal data to third parties. For example, your organisation may use a customer relations management system offered as an online service by your vendor. Or a professional e-mailing system hosted by a third party. Or a third party developer may perform maintenance on some software you use on your own premises for the processing of client data, while having access to the actual databases to allow effective troubleshooting. The law refers to such third parties as a data processor. Data processors are not required to report data leakages to the supervisory authority themselves. However, they are required to ensure that their customers (the controllers of personal data) can make such a report in a timely manner. For this reason, it is crucial to draw up provisions setting out how a data processor will notify its controller in the event of a data leakage. These provisions can be included in a separate data processing agreement, which is usually attached to the main service agreement. Please note, however, that if you are a data processor and data in your own customer records were also leaked, you yourself are also required to After all, these data fall under your own responsibility. 9. What can you do to prepare for the obligation to report breaches? If you wish to be fully prepared for the new obligation to report personal data security breaches, here are some steps you can take: draw up a list of everyone who processes your data and check if you have data processing agreements with all of these parties; update your data processing agreements to contain a provision on personal data security breaches; conclude a n-disclosure Agreement (NDA) covering non-personal yet sensitive data with all parties you work with; check what system the companies that process personal data for you use to save personal data. Is it secure? Naturally, you should check this at your own organisation too. if organisations claim they are certified (e.g. ISO 27001), ask them about the scope of this certification; ask your insurance company or broker whether you are covered for personal data security breaches (cyber risk insurance); ensure you have internal procedures in place for handling and reporting breaches.

10. Procedure governing the obligation to report personal data security breaches If you discover a data leakage and want a quick overview of the reporting procedure, see the next page for a decision tree about reporting breaches. 11. Questions? If you are having difficulty determining whether you are required to report a breach or not, or if you have any questions about how to arrange agreements with third parties, or would like help drawing up an internal procedure for reporting breaches, please feel free to contact us on +31 20 66 31 941 or at info@ictrecht.nl and ask for one of our privacy and security specialists.

1. Do the leaked data qualify as personal data? For example, names, customer numbers, customer profiles, addresses and email addresses. 2. Does the breach involve your own customer details? For example, data stored by a hosting service or a cloud service provider ( data processors ) normally belong to their customers and are not their own data. 3. Have personal data been lost or processed unlawfully ( leaked )? For example, a lost laptop, a hack, a fire in a data centre or a former employee who has access to personal data. If in doubt, contact us. You must report the leakage to your customers. 4. Has a large amount (quantitative) or sensitive personal data (qualitative) been leaked? For example, the personal data of more than one thousand people, or data such as bank account numbers, login details or health-related data. If in doubt, contact us. 5. You are required to inform the supervisory authority of the data leakage by no later than the second business day after discovering the breach. 6. Is the data leakage likely to have adverse consequences for the private lives of individuals? For example, if sensitive personal data have been leaked or if there is a danger of identity fraud. If in doubt, contact us. You are only required to report the leakage to the supervisory authority. 7. Have the leaked personal data been protected in a manner that makes them unreadable or unusable? For example, by means of a strong encryption. If in doubt, contact us. You are required to inform both the supervisory authority and the persons affected by the data leakage. 8. Has the decryption key also been leaked? 9. You are required to inform both the supervisory authority and the persons affected by the data leakage. You are only required to report the leakage to the supervisory authority.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information