In January 2020, I saw an article on the NOS site stating that "possible" data breaches had been reported by 29 organizations to the Autoriteit Persoonsgegevens (the AP). This had to do with security problems in the Citrix digital work environment.(1)
Author: Kelvin Moenis
Besides being obviously very annoying, another thing struck me about this title: the word "possible. After all, this word implies that the organizations themselves did not know (for sure) whether there was a data breach and made a report just to be sure. Incidentally, this also seems to follow from the AP's recently published report, regarding reported data breaches in 2019.(2) Now, of course, the 'better safe than sorry' policy is better than never reporting at all. However, a relevant question is: do organizations and their employees actually know what a data breach is and when it should be reported? After asking around a bit 'on some government work floors', I found out that there are a lot of question marks around the term 'data breach' and when it should be reported. So with this post, I hope to dispel most of these question marks with you and inform you about when a data breach needs to be reported.
Incidentally, the General Data Protection Regulation (AVG) does not use the term "data breach," but describes it as a "personal data breach," which is interpreted as "a breach of security that accidentally or unlawfully results in the destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, data transmitted, stored or otherwise processed."(3) In other words, a "personal data breach," or the term "data leak," can be interpreted quite broadly. For example, it can include a hacker attack in which personal data has been captured, as well as the accidental sending of a sensitive letter to an incorrect address.
Only should then every data leak, even one as mundane as sending a letter to an incorrect address, always be reported to the AP?(4) It is striking that this question is answered in the 'General Data Protection Regulation Manual' (hereafter: the Manual) with 'yes, unless'(5) and by the AP with 'no, unless'.(6) Both answers do come to the same conclusion: if the data leak constitutes a risk for the rights and freedoms of the data subject(s), then a data leak must be reported to the AP. If the data breach poses a high risk, the data subject should also be informed about it. However, by answering the question with "no, unless," the AP can create a different mindset among the data controller than the Manual.(7) Perhaps the AP chose to deviate from the terminology in the Manual in order to reduce the number of data breach notifications received. For example, the AP had over 25,000 data breach notifications for the year 2019 alone.(8) Incidentally, I personally think that a somewhat more cautious attitude on the part of the data controller, is not necessarily a bad idea. For example, Bart Custers (professor at Leiden University) indicates in an article in the newspaper Trouw that it is precisely the large number of reports that causes the obligation to report to miss its target.(9)
Whether the data breach poses a risk or even a high risk to the data subject must be assessed objectively by the data controller. For example, there is a (high) risk if there is a chance that, as a result of the data breach, the data subject will become a victim of discrimination, identity fraud, financial losses, damage to reputation, etc. How high the risk is and whether the risk occurs depends on the nature of the 'leaked' data and should therefore be assessed according to the circumstances of the case. Even if you have determined that there is a (high) risk, you do not have to report the data leak to the AP (and the data subject) in all cases. For example, you do not need to report in the following cases:(10)
1. You have taken sufficient measures in advance. Now of course you are wondering when you, as a data controller, have taken sufficient measures in advance. You have taken sufficient measures if the leaked personal data is unintelligible or not viewable by the unauthorized persons. This is the case, for example, if your laptop is stolen, but you have properly encrypted your laptop, or specifically the personal data on it. It is important that the key to the hashing (for example, your password) was not compromised in the data breach, that the data are still intact (for example, you have a backup of the data) and that you have retained full control because of the measures taken.(11)
2. The incorrect recipient is trustworthy. Reliable" means that you can be reasonably sure that the incorrect recipient does not mean any harm. So that he does nothing further with the accidentally received data. And that he will abide by your instructions, if any, for example to return or destroy the personal data.(12) With these reliable recipients you can think, for example, of parties who have professional secrecy, such as doctors and lawyers. In addition, parties with whom you have a long-standing business relationship fall under "reliable recipients. In short, parties you know and know you can trust.
Should this above review reveal that the data breach does not need to be reported, you should still register this data breach in your own data breach register.
Hopefully, through this explanation, I have been able to remove some of the questions regarding the reporting of data breaches. Should you, in a specific case, still doubt whether there is a data breach and if so, whether there is a (high) risk for the data subject, you can of course always apply the 'better safe than sorry' policy.
(1) https://nos.nl/artikel/2319705-29-mogelijke-datalekken-gemeld-na-problemen-met-citrix.html.
(2) https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/jaarcijfers_meldplicht_datalekken _2019.pdf.
(3) Article 4, point 12, AVG.
(4) In which personal data are processed.
(5) General Data Protection Regulation Handbook, par. 5.9.2, p. 64.
(6) https://autoriteitpersoonsgegevens.nl/en/topics/security/duty-to-report-data-leaks#should-I-report-all-data-leaks-to-the-authority-personal-data-5093.
(7) The controller is the natural or legal person who determines the purpose and means of the processing operations.
(8) Duty-to-report-data-leaks: facts & figures Overview of facts and figures 2019, p. 3 (https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/jaarcijfers_meldplicht_datalekken_2019. pdf)
(9) https://www.trouw.nl/opinie/drie-redenen-waarom-meldplicht-datalekken-nietwerkt~b620117b/?utm_campaign=shared_earned&utm_medium=social&utm_source=copylink.
(10) https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/beveiliging/meldplicht-datalekken#wanneer-hoef-ikeen-datalek-n%C3%ADet-te-melden-aan-de-ap-en-de-betrokken-personen-7333.
(11) Assuming a strong password was used and not a password like 'welcome01'.
(12) https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/beveiliging/meldplicht-datalekken#ik-hebpersoonsgegevens-gelekt-aan-een-betrouwbare-partij-moet-ik-dit-melden-aan-de-ap-en-de-betrokkenpersonen-7352.
This article can also be found in the Data Breach file
