On July 16, 2020, TU Delft and Utrecht University were informed that a security incident occurred at their U.S. CRM vendor between February 7 and May 20. This resulted in a data leak of personal data of their Alumni. Both universities notified the Autoriteit Persoonsgegevens ) within 72 hours and then immediately informed those affected.
This case is interesting from several perspectives. For example, are universities still allowed to use U.S. processors, or is the security at Blackbaud as a data company adequate?
The university is a data controller and has engaged a third party to process the personal data: Blackbaud. Blackbaud is the processor in this case. From the General Data Protection Regulation (AVG), it is stated that in such a situation, a processor's agreement is drawn up, in which the universities explicitly stipulate which data may be processed, the retention periods to be used and the security measures to be taken. The various articles about this incident nowhere mention a processor agreement. Now of course it is not true that a processor agreement could have prevented the hack, but in case of actual damage such an agreement does make it clear who was at fault and who should pay for the damage.
It appears that the privacy risks as a result of the hack are limited, but that is not yet certain. On the one hand, there is a risk that hackers gained control of more data; on the other hand, data subjects were informed relatively late that their data had been leaked. Blackbaud did not specifically inform the universities until 7 weeks after discovery. As a result, universities were also late in informing data subjects. Here, too, the importance of a proper processing agreement comes to the fore, because it - if all goes well - also sets the deadline for informing.
Universities are considering steps against Blackbaud; the extent to which this may be successful will largely be determined by the content of an underlying (processor) agreement.
As the Dutch regulator, AP cannot independently launch an investigation at Blackbaud, but could investigate at the universities by requesting, among other things, the register of processing activities and the processing agreement with Blackbaud. TU Delft and Utrecht University must be able to demonstrate that they did not make a mistake in this case.
Resume: the AVG is designed to better protect personal data of individuals. Being able to demonstrate compliance with legal obligations (including data minimization, contracts) further reduces the risks for universities and the alumni involved. Even then, Blackbaud can still be hacked, but at least as a university you did what you could.
This is a great wake-up call to also verify within your own organization that the proper processing agreements are in place.
More articles from PrivacyTeam
