The Dutch Minister of Security and Justice introduced a bill on mandatory notifications for a breach of security or loss of integrity of vital ICT systems (the "Breach Notification Bill") for public consultation on 22 July 2013. The Breach Notification Bill signals the importance that the Dutch government attaches to the security of ICT systems which are vital to Dutch society. The Breach Notification Bill is applicable to a wide range of sectors that have vital ICT systems to manage their operations, such as the energy, telecoms, finance and transport sectors. The unique feature of the Breach Notification Bill is that notifications will be handled by the National Cyber Security Center (the "NCSC").
Applicable to national and international providers of vital products and services
The Breach Notification Bill is applicable to any national or international provider of products or services the availability or reliability of which is vital to Dutch society. These providers are to be designated by a general administrative order (Algemene Maatregel van Bestuur). In the explanatory memorandum to the Breach Notification Bill, however, the Minister of Security and Justice highlights sectors and (specific) providers to which the notification duty will most likely apply:
- electricity and gas (e.g. energy network operators)
- potable water (e.g. water companies)
- telecommunications (e.g. telecommunication providers)
- finance (e.g. banks);
- transport (e.g. the Port of Rotterdam, Schiphol Airport and Air Traffic Control the Netherlands).
The security breach notification obligation is triggered if the provider becomes aware of a breach of security or loss of integrity which has impacted or may impact the availability or reliability of its vital products or services. If the security breach notification obligation is triggered, the provider must notify the NCSC promptly (onverwijld). The notification must at least include:
- nature and extent of the breach or loss
- when the breach or loss started
- the potential impact of the breach or loss
- a forecast of the recovery period
- if possible, the measures taken or to be taken by the provider to mitigate the consequences of or to prevent repetition of the breach or loss
- the contact details of the officer based in the Netherlands responsible for the notification.
Additionally, the Breach Notification Bill includes that a provider must supply the NCSC, upon its request, promptly with all other information required to:
- assess the risks for the availability or reliability of the product or services in questions
- assist the provider in taking measures to safeguard or restore the availability and reliability of the product or service.
NCSC handles notifications
Notifications are made to the Minister of Security and Justice and handled by the NCSC. The NCSC is a public-private collaboration focused on an integrated approach to cyber security. The tasks of the NCSC are twofold:
- assessing the potential impact that a breach or loss could have on the Netherlands and warning potentially affected third parties
- assisting the affected provider and anticipating the possible broad effects of a breach or loss, by warning and advising other providers in the same sector.
The Breach Notification Bill does not yet include a penalty for a failure to notify, notwithstanding the fact that the Minister of Security and Justice formally has the power to impose an order on pain of a penalty based on the General Administrative Law Act (Algemene wet bestuursrecht). In the explanatory memorandum, the Minister states that the role of the NCSC is that of an advisory authority and not that of a supervisory authority. In light of creating a safety or just culture in which notifications are made to learn lessons from, the Minister finds it important to have a low threshold to make notifications. Sanctions for non-compliance would not fit within this framework. However, the Minister does state that if the notification duty is insufficiently complied with, a system of monitoring and enforcement might be implemented.
Relation to other breach notification obligations
The Breach Notification Bill means an additional breach notification obligation for providers of vital ICT systems. It does not set aside and will coincide with any other sector or data security breach notification applicable to providers of vital ICT systems, e.g. the telecom and general data security breach notifications. Please see our Legal Alerts "Mandatory data breach notification and penalties for not cooperating with CBP proposed" and "Dutch Senate finally adopts new rules on cookies, net neutrality and data security breach notifications" for more information.