{"id":6733,"date":"2017-03-28T09:34:13","date_gmt":"2017-03-28T07:34:13","guid":{"rendered":"https:\/\/www.combell.com\/en\/blog\/?p=6733"},"modified":"2022-11-08T11:21:34","modified_gmt":"2022-11-08T10:21:34","slug":"help-a-data-leak-when-and-how-to-report-it","status":"publish","type":"post","link":"https:\/\/www.combell.com\/en\/blog\/help-a-data-leak-when-and-how-to-report-it\/","title":{"rendered":"Help, a data leak! When and how to report it?"},"content":{"rendered":"<p>Since January 1<sup>st<\/sup> 2016, the new \u201cDatalek Meldplicht\u201d act, which obliges organizations to report data leaks, has come into effect in the Netherlands. <strong>In Belgium, all telecom operators are already subject to this act, and all other organisations will be subject to it as of 2018<\/strong>. This act amends <a href=\"https:\/\/www.dataprotectionauthority.be\/citizen\" target=\"_blank\" rel=\"noopener\">the personal data protection act<\/a> in two main respects:<\/p>\n<p><div class=\"su-list\" style=\"margin-left:0px\"><\/p>\n<ul>\n<li><i class=\"sui sui-play\" style=\"color:#1D88C0\"><\/i> a <strong>stricter reporting obligation<\/strong> will come into effect<\/li>\n<li><i class=\"sui sui-play\" style=\"color:#1D88C0\"><\/i> the Privacy Commission will be given greater <strong>power to impose fines<\/strong><\/li>\n<\/ul>\n<p><\/div><\/p>\n<p>This legislative amendment is important for all those who process personal data.\u00a0<strong>Web store administrators <\/strong>should pay particular attention to it, as should \u201cordinary\u201d websites that process personal data.<\/p>\n<p>Although the new act has come into effect quite some time ago, there are still several grey areas: <strong>when<\/strong>\u00a0exactly does it apply and\u00a0<strong>what does it mean for your organisation?<\/strong><\/p>\n<h2><strong>The data leaks reporting obligation act in a nutshell<\/strong><\/h2>\n<p>As previously stated, all Belgian telecom operators are obliged to report personal data leaks. This report must be submitted to the <a href=\"https:\/\/www.dataprotectionauthority.be\/citizen\" target=\"_blank\" rel=\"noopener\"><strong>Commission for the protection of privacy, better known as the Privacy Commission<\/strong>.<\/a> As of 2018, all Belgian companies will be subject to the act.<\/p>\n<blockquote><p>A data leak occurs when, for instance, a hacker managed to access your database containing personal data. In such a case, you need to contact the Privacy Commission.<\/p><\/blockquote>\n<p>In case of severe data loss, you also need to inform <strong>the persons concerned<\/strong>, i.e. the people whose data have been disclosed.<\/p>\n<h2><strong>From a security breach to the obligation to inform the persons concerned<\/strong><\/h2>\n<p>The act follows a step-by-step model. Every data leak is different and must therefore be handled in a different way.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-6735 size-large\" src=\"https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/data_leak_meldplicht-1024x654.png\" alt=\"Help, a data leak! When and how to report it?\" width=\"1024\" height=\"654\" srcset=\"https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/data_leak_meldplicht-1024x654.png 1024w, https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/data_leak_meldplicht-300x192.png 300w, https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/data_leak_meldplicht-768x490.png 768w, https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/data_leak_meldplicht.png 1958w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>For each security incident, you need to <strong>look into what exactly went wrong<\/strong>\u00a0and see if personal data actually leaked. Be careful though, as the reporting obligation extends further than you might think. Accidentally sending an e-mail containing personal information to the wrong person is also seen as a data leak. No matter how harmless it may seem, you should, in theory, report such an incident to the Privacy Commission.<\/p>\n<h2><strong>48 hours to submit your report<\/strong><\/h2>\n<p>The clock starts ticking as soon as you discover the leak: then, you have 48 hours to report the data leak.\u00a0Companies can use this 2-day period to optimally assess the extent of damage. This is also a good way to avoid false alerts.<\/p>\n<div class=\"bs-callout bs-callout-success\">\n<p><strong>Tip:<\/strong> You should not report every security incident. A data leak occurs only when intruders manage to get hold of personal information.<\/p>\n<\/div>\n<h2><strong>At what point should you inform the persons concerned about your data leak?<\/strong><\/h2>\n<p>Notifying the commission does not automatically mean that you should inform the persons concerned.\u00a0<strong>You should do so only if the data leak \u201ccan have a negative impact on the privacy\u201d of the persons concerned<\/strong>. And when payment card details or <a href=\"https:\/\/en.wikipedia.org\/wiki\/Ashley_Madison_data_breach\" target=\"_blank\" rel=\"noopener\">a mishap like the one that befell Ashley Madison<\/a>\u00a0\u2013 the dating site for married people seeking affairs \u2013 are concerned, it seems pretty logical.<\/p>\n<p>But when exactly can an incident have \u201ca negative impact\u201d? The definition is vague, to say the least. So, you are partly responsible for determining if that is the case. <strong>Fortunately, the Privacy Commission will inform you step by step<\/strong>, and help you determine when you have to inform the persons concerned.<\/p>\n<h2><strong>Encryption to the rescue!<\/strong><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-6742 alignright\" src=\"https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Data-leak_Secure-your-data-with-encryption-or-hashing.png\" alt=\"Data leak_Secure your data with encryption or hashing\" width=\"300\" height=\"225\" \/><\/p>\n<p>You can secure your data by taking technical measures, such as <strong>encryption<\/strong> or <a href=\"https:\/\/en.wikipedia.org\/wiki\/Hash_function\" target=\"_blank\" rel=\"noopener\"><strong>hashing<\/strong><\/a>. If you go for hashing, your data will be \u201cmixed up\u201d by an algorithm. This way, the data cannot be read by humans, but a computer can make them readable again. If you have taken such a precaution, you are not obliged to inform the persons concerned. You must, however, notify the Privacy Commission.<\/p>\n<div class=\"bs-callout bs-callout-danger\">\n<p>The only drawback is that you also need to <strong>check if your encryption survived the leak<\/strong>. If not, you will have to <strong>inform the persons concerned<\/strong> all the same.<\/p>\n<\/div>\n<h2><strong>A possible hefty fine<\/strong><\/h2>\n<p>Unfortunately, and yet quite understandably, <strong>fines<\/strong> are imposed when personal data are lost. Be careful though: if you submit a report for your data leak to the Privacy Commission, that does not automatically mean you will get a fine. Usually, you will get an injunction requiring you to strengthen your security.<\/p>\n<p>However, if the breach was <strong>intentional<\/strong> or when <strong>gross negligence<\/strong> is involved, you may get that fine immediately. And it is quite hefty!<\/p>\n<p>A fine for a data leak can reach up to 10 million euros, or 2% of the global annual turnover of the company concerned (provided it is more than 10 million euros).<\/p>\n<h3><strong>The following factors help determine the amount of the fine:<\/strong><\/h3>\n<p><div class=\"su-list\" style=\"margin-left:0px\"><\/p>\n<ul>\n<li><i class=\"sui sui-angle-double-right\" style=\"color:#1D88C0\"><\/i> The nature of the data leak<\/li>\n<li><i class=\"sui sui-angle-double-right\" style=\"color:#1D88C0\"><\/i> The gravity of the situation<\/li>\n<li><i class=\"sui sui-angle-double-right\" style=\"color:#1D88C0\"><\/i> The duration of the leak<\/li>\n<li><i class=\"sui sui-angle-double-right\" style=\"color:#1D88C0\"><\/i> The accidental or intentional nature of the leak<\/li>\n<li><i class=\"sui sui-angle-double-right\" style=\"color:#1D88C0\"><\/i> The measures taken to limit damage<\/li>\n<li><i class=\"sui sui-angle-double-right\" style=\"color:#1D88C0\"><\/i> The existence of earlier data leaks<\/li>\n<li><i class=\"sui sui-angle-double-right\" style=\"color:#1D88C0\"><\/i> The efforts undertaken to find a solution together with the Privacy Commission.<\/li>\n<\/ul>\n<p><\/div><\/p>\n<p>The Privacy Commission\u2019s aim\u00a0is not to raise money in fines, but to create awareness, especially among those who process personal information. What really matters is to limit every type of damage.<\/p>\n<h2><strong>What qualifies as \u201cgross negligence\u201d?<\/strong><\/h2>\n<p>Imagine that you sell personal information to a third party. That clearly qualifies as a breach. But \u2018gross negligence\u2019 can also be interpreted more loosely.<\/p>\n<p><div class=\"su-list\" style=\"margin-left:0px\"><\/p>\n<ul>\n<li><i class=\"sui sui-question\" style=\"color:#b12c14\"><\/i> What if you missed the latest Magento software update?<\/li>\n<li><i class=\"sui sui-question\" style=\"color:#b12c14\"><\/i> Or if you do not use an SSL certificate?<\/li>\n<li><i class=\"sui sui-question\" style=\"color:#b12c14\"><\/i> Perhaps you have not installed every patch in time?<\/li>\n<\/ul>\n<p><\/div><\/p>\n<p>The law does not take account of such cases.\u00a0It only mentions <strong>'common security measures'<\/strong>, which is obviously a highly subjective concept. When determining the amount of your fine, the Privacy Commission determines how common your security measures were. If their verdict does not match what you had in mind, you can always challenge it before a court.<\/p>\n<p><a href=\"https:\/\/www.combell.com\/en\/blog\/combells-automatic-patching-protects-your-website-at-all-times\/\" target=\"_blank\" rel=\"noopener\">You can also read: Combell\u2019s Automatic Patching protects your website at all times<\/a><\/p>\n<h2><strong>How can you avoid data leaks?<\/strong><\/h2>\n<p><div class=\"su-list\" style=\"margin-left:0px\"><\/p>\n<ul>\n<li><i class=\"sui sui-check\" style=\"color:#1dc05b\"><\/i> Do not forget about the <strong>\u201ccommon security measures<\/strong>\u201d. Make a list of the measures you find essential, so that you can prove that you did your utmost to process data as securely as possible if a problem occurs.<\/li>\n<li><i class=\"sui sui-check\" style=\"color:#1dc05b\"><\/i> Switch from an HTTP to an <strong>HTTPS<\/strong> website, like when you use an <strong>SSL certificate<\/strong>. Such a certificate encrypts the information sent by customers, and makes it impossible to misuse.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.combell.com\/en\/blog\/what-is-lets-encrypt-free-ssl\/\" target=\"_blank\" rel=\"noopener\">You can also read:\u00a0Free Let\u2019s Encrypt SSL-certificate for Combell clients<\/a><\/p>\n<ul>\n<li><i class=\"sui sui-check\" style=\"color:#1dc05b\"><\/i> Make sure you have a <strong>secure version of your CMSs<\/strong>. There is no obligation to use the newest version, but you should use the latest security release.<\/li>\n<li><i class=\"sui sui-check\" style=\"color:#1dc05b\"><\/i> Keep an eye on your <strong>patches<\/strong> (of your Magento software, for instance). If you receive an e-mail from Magento about a security patch, do not disregard it!<\/li>\n<\/ul>\n<div class=\"bs-callout bs-callout-default\">\n<p><strong>Tip for Combell customers:<\/strong> Enable Automatic patching in your My Combell control panel.<\/p>\n<\/div>\n<ul>\n<li><i class=\"sui sui-check\" style=\"color:#1dc05b\"><\/i> <strong>Carefully monitor the activity on your site.<\/strong> This way, chances are that you will detect a potential hacker before he or she gains access to your systems.\u00a0Make sure you are always one step ahead of them in order to protect your reputation.<\/li>\n<li><i class=\"sui sui-check\" style=\"color:#1dc05b\"><\/i> <strong>Never edit your site using public computers.<\/strong> Certainly not if you think they use keyloggers or old software.<\/li>\n<li><i class=\"sui sui-check\" style=\"color:#1dc05b\"><\/i> Make sure you have <strong>an action plan<\/strong> in case something goes wrong. Think of a sort of \u201cdata leak crisis team\u201d or a roadmap. Obviously, the extent of the action plan depends on the size of your organisation. However, bear in mind that you only have a small window of time to submit a report. If you are well prepared, you and your team will feel much more confident when a problem occurs.<\/li>\n<\/ul>\n<p><\/div><\/p>\n<h2><strong>Two years to prepare yourself the best you can<\/strong><\/h2>\n<p>After reading this article, you will most probably agree with us: having to contact the Privacy Commission is something you want to avoid at all costs. We should, however, stay realistic and admit that security threats are all over the Internet. As a non-telecom operator, you also have two years to fully prepare yourself, so <strong>make good use of this time so that you can avoid 100% of data leaks!<\/strong><\/p>\n<p><a href=\"https:\/\/www.combell.com\/en\/blog\/what-is-lets-encrypt-free-ssl\/\" target=\"_blank\" rel=\"noopener\">You can also read:\u00a0Should you go for a free Let\u2019s Encrypt certificate or a premium SSL certificate? <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since January 1st 2016, the new \u201cDatalek Meldplicht\u201d act, which obliges organizations to report data leaks, has come into effect in the Netherlands. In Belgium, all telecom operators are already...<\/p>\n","protected":false},"author":1,"featured_media":6737,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","footnotes":""},"categories":[62],"tags":[353,40,42,194],"acf":[],"uagb_featured_image_src":{"full":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it.png",750,256,false],"thumbnail":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it-50x50.png",50,50,true],"medium":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it-300x102.png",300,102,true],"medium_large":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it.png",750,256,false],"large":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it.png",750,256,false],"1536x1536":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it.png",750,256,false],"2048x2048":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it.png",750,256,false],"post-featured":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it.png",750,256,false],"post-featured-opt":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it.png",750,256,false],"post-featured-opt-md":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it.png",750,256,false],"post-featured-opt-sm":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it-485x165.png",485,165,true],"post-featured-opt-xs":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it-375x128.png",375,128,true],"post-most-popular":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it-50x50.png",50,50,true],"post-author":["https:\/\/www.combell.com\/en\/blog\/files\/2017\/03\/Help-a-data-leak-When-and-how-to-report-it-60x60.png",60,60,true]},"uagb_author_info":{"display_name":"Combell","author_link":"https:\/\/www.combell.com\/en\/blog\/author\/blogadmin\/"},"uagb_comment_info":0,"uagb_excerpt":"Since January 1st 2016, the new \u201cDatalek Meldplicht\u201d act, which obliges organizations to report data leaks, has come into effect in the Netherlands. In Belgium, all telecom operators are already...","_links":{"self":[{"href":"https:\/\/www.combell.com\/en\/blog\/wp-json\/wp\/v2\/posts\/6733"}],"collection":[{"href":"https:\/\/www.combell.com\/en\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.combell.com\/en\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.combell.com\/en\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.combell.com\/en\/blog\/wp-json\/wp\/v2\/comments?post=6733"}],"version-history":[{"count":4,"href":"https:\/\/www.combell.com\/en\/blog\/wp-json\/wp\/v2\/posts\/6733\/revisions"}],"predecessor-version":[{"id":10207,"href":"https:\/\/www.combell.com\/en\/blog\/wp-json\/wp\/v2\/posts\/6733\/revisions\/10207"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.combell.com\/en\/blog\/wp-json\/wp\/v2\/media\/6737"}],"wp:attachment":[{"href":"https:\/\/www.combell.com\/en\/blog\/wp-json\/wp\/v2\/media?parent=6733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.combell.com\/en\/blog\/wp-json\/wp\/v2\/categories?post=6733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.combell.com\/en\/blog\/wp-json\/wp\/v2\/tags?post=6733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}