Help, a data leak! When and how to report it?
Since January 1st 2016, the new “Datalek Meldplicht” act, which obliges organizations to report data leaks, has come into effect in the Netherlands. In Belgium, all telecom operators are already subject to this act, and all other organisations will be subject to it as of 2018. This act amends the personal data protection act in two main respects:
- a stricter reporting obligation will come into effect
- the Privacy Commission will be given greater power to impose fines
This legislative amendment is important for all those who process personal data. Web store administrators should pay particular attention to it, as should “ordinary” websites that process personal data.
Although the new act has come into effect quite some time ago, there are still several grey areas: when exactly does it apply and what does it mean for your organisation?
The data leaks reporting obligation act in a nutshell
As previously stated, all Belgian telecom operators are obliged to report personal data leaks. This report must be submitted to the Commission for the protection of privacy, better known as the Privacy Commission. As of 2018, all Belgian companies will be subject to the act.
A data leak occurs when, for instance, a hacker managed to access your database containing personal data. In such a case, you need to contact the Privacy Commission.
In case of severe data loss, you also need to inform the persons concerned, i.e. the people whose data have been disclosed.
From a security breach to the obligation to inform the persons concerned
The act follows a step-by-step model. Every data leak is different and must therefore be handled in a different way.
For each security incident, you need to look into what exactly went wrong and see if personal data actually leaked. Be careful though, as the reporting obligation extends further than you might think. Accidentally sending an e-mail containing personal information to the wrong person is also seen as a data leak. No matter how harmless it may seem, you should, in theory, report such an incident to the Privacy Commission.
48 hours to submit your report
The clock starts ticking as soon as you discover the leak: then, you have 48 hours to report the data leak. Companies can use this 2-day period to optimally assess the extent of damage. This is also a good way to avoid false alerts.
Tip: You should not report every security incident. A data leak occurs only when intruders manage to get hold of personal information.
At what point should you inform the persons concerned about your data leak?
Notifying the commission does not automatically mean that you should inform the persons concerned. You should do so only if the data leak “can have a negative impact on the privacy” of the persons concerned. And when payment card details or a mishap like the one that befell Ashley Madison – the dating site for married people seeking affairs – are concerned, it seems pretty logical.
But when exactly can an incident have “a negative impact”? The definition is vague, to say the least. So, you are partly responsible for determining if that is the case. Fortunately, the Privacy Commission will inform you step by step, and help you determine when you have to inform the persons concerned.
Encryption to the rescue!
You can secure your data by taking technical measures, such as encryption or hashing. If you go for hashing, your data will be “mixed up” by an algorithm. This way, the data cannot be read by humans, but a computer can make them readable again. If you have taken such a precaution, you are not obliged to inform the persons concerned. You must, however, notify the Privacy Commission.
The only drawback is that you also need to check if your encryption survived the leak. If not, you will have to inform the persons concerned all the same.
A possible hefty fine
Unfortunately, and yet quite understandably, fines are imposed when personal data are lost. Be careful though: if you submit a report for your data leak to the Privacy Commission, that does not automatically mean you will get a fine. Usually, you will get an injunction requiring you to strengthen your security.
However, if the breach was intentional or when gross negligence is involved, you may get that fine immediately. And it is quite hefty!
A fine for a data leak can reach up to 10 million euros, or 2% of the global annual turnover of the company concerned (provided it is more than 10 million euros).
The following factors help determine the amount of the fine:
- The nature of the data leak
- The gravity of the situation
- The duration of the leak
- The accidental or intentional nature of the leak
- The measures taken to limit damage
- The existence of earlier data leaks
- The efforts undertaken to find a solution together with the Privacy Commission.
The Privacy Commission’s aim is not to raise money in fines, but to create awareness, especially among those who process personal information. What really matters is to limit every type of damage.
What qualifies as “gross negligence”?
Imagine that you sell personal information to a third party. That clearly qualifies as a breach. But ‘gross negligence’ can also be interpreted more loosely.
- What if you missed the latest Magento software update?
- Or if you do not use an SSL certificate?
- Perhaps you have not installed every patch in time?
The law does not take account of such cases. It only mentions 'common security measures', which is obviously a highly subjective concept. When determining the amount of your fine, the Privacy Commission determines how common your security measures were. If their verdict does not match what you had in mind, you can always challenge it before a court.
How can you avoid data leaks?
- Do not forget about the “common security measures”. Make a list of the measures you find essential, so that you can prove that you did your utmost to process data as securely as possible if a problem occurs.
- Switch from an HTTP to an HTTPS website, like when you use an SSL certificate. Such a certificate encrypts the information sent by customers, and makes it impossible to misuse.
- Make sure you have a secure version of your CMSs. There is no obligation to use the newest version, but you should use the latest security release.
- Keep an eye on your patches (of your Magento software, for instance). If you receive an e-mail from Magento about a security patch, do not disregard it!
Tip for Combell customers: Enable Automatic patching in your My Combell control panel.
- Carefully monitor the activity on your site. This way, chances are that you will detect a potential hacker before he or she gains access to your systems. Make sure you are always one step ahead of them in order to protect your reputation.
- Never edit your site using public computers. Certainly not if you think they use keyloggers or old software.
- Make sure you have an action plan in case something goes wrong. Think of a sort of “data leak crisis team” or a roadmap. Obviously, the extent of the action plan depends on the size of your organisation. However, bear in mind that you only have a small window of time to submit a report. If you are well prepared, you and your team will feel much more confident when a problem occurs.
Two years to prepare yourself the best you can
After reading this article, you will most probably agree with us: having to contact the Privacy Commission is something you want to avoid at all costs. We should, however, stay realistic and admit that security threats are all over the Internet. As a non-telecom operator, you also have two years to fully prepare yourself, so make good use of this time so that you can avoid 100% of data leaks!