Click here to view table.
File a police report?
If you are the victim of a crime, you can report it to the police. Whether this is advisable and, if so, the timing, depends on the concrete situation. Factors such as liability, insurance and reputation may play a role in making these decisions.
Inform the authorities?
- Currently there is no duty under the Personal Data Protection Act to report data leaks to the Dutch Data Protection Authority. This will probably change in the future. A legislative proposal to this effect has already been published. A reporting obligation has in the meantime also been included in the proposed EU General Data Protection Regulation, which will replace the EU Data Protection Directive 95/46/EC (implemented in Dutch law through the Personal Data Protection Act). Furthermore, a legislative proposal is expected which introduces a statutory notification requirement for certain sectors in which cyber incidents could potentially have a disruptive impact on society.
A legal reporting obligation already exists for telecom providers and financial institutions. The former are required to report to the ACM (Authority for Consumers and Markets) / Ministry of Economic Affairs (depending on the situation) and the latter to the DNB (the Dutch Central Bank) / AFM (Authority for the Financial Markets).
- Also check international obligations.
Inform the data subjects/businesses involved?
- Currently there is no explicit duty under the Personal Data Protection Act to report data leaks to the data subjects involved. This will probably change in the future. A legislative proposal to this effect has already been published. A reporting obligation has in the meantime also been included in the proposed EU General Data Protection Regulation.
It is unclear whether it currently follows from the Personal Data Protection Act that data subjects must be informed. This depends on the circumstances of the case. Telecom providers and financial institutions are already under a reporting obligation in certain cases.
- Has credit card information been leaked? Confer with credit card companies in order to limit damage. The same applies to other businesses in a similar position.
- Has price-sensitive information been leaked? Check whether there is a publication obligation.
- Also check whether there are any contractual obligations (to inform the data subjects, other businesses or any other parties).
- The Personal Data Protection Act requires that adequate technical and organisational security measures be taken (see the provisions of the Telecommunication Act with regard to providers of public electronic communication networks and services). The Dutch Data Protection Authority has drawn up guidelines and, for example, NEN norms and ISO standards also exist. Non-compliance with the Personal Data Protection Act can lead to liability (as well as administrative measures of constraint and/or the imposing of an order and in the future – after the relevant legislation has been amended and/or the proposed EU General Data Protection Regulation has been adopted – also to direct fines).
- Possible breach of contract (violation of a confidentiality obligation; failure to take necessary security measures, etc.). Check possibility of invoking force majeure.
- Possible tort liability? Check attributability/accountability (toerekenbaarheid) issue.
- Possible criminal liability? This could arise in cases of involvement from within the organisation itself or where insufficient measures have been taken to prevent violations.
Check your insurance policy/policies.