The data breach at software vendor Nebu has occupied minds for some time. And rightly so. After all, it's not about nothing. The privacy watchdog reported a few days ago that 139 companies have already come forward. And the number of people whose data may have been leaked is already running into the many millions. And it has also come to my attention that the SOMI Foundation (which has a mass tort claim pending against TikTok) is investigating the matter. So it is waiting for claims.
Recently, the summary judgment (1) between market research firm Blauw and its software provider Nebu was published. It cannot have escaped your notice in the media: Blauw was forced to force through the court that Nebu provide more openness about the hack. The judge's ruling explains my title: Nebu walks into a solid 'blue'. Most salient in this context - as the ruling shows - is that Nebu has not started an independent forensic investigation at all, despite an explicit promise to do so when the hack was first reported to Blauw. I called this "embarrassing" at BNR (2).
The judgment also shows that theft did occur. The verdict literally states "in an email dated March 27, 2023, Nebu confirmed to Blue that there was a ransomware software and that data had been exfiltrated (read: stolen) by the attackers."
Blue submitted a laundry list of demands, which boil down to: (i) I want information, and (ii) I want a forensic investigation into the root cause. In the ruling, the judge indicates in so many words that Blauw is indeed asking for quite a lot, but also shows understanding for Blauw's argument that she doesn't actually know anything now: "However, the interim relief judge follows Blauw in its reasoning that it was forced to formulate its claims in this way because it had received limited information from Nebu prior to these summary proceedings."
In terms of basis, Blue relies on the agreements made with Nebu. The judgment mentions that a processing agreement was concluded between the parties. That is immediately the first interesting point in this case. Because concluding a "processing agreement" suggests that Blauw is the controller, and Nebu the processor. Blue itself, and, for that matter, colleagues of mine, have claimed in the media to be a processor. Because, the reasoning goes, Blauw acts on behalf of its customers - some of those now 139 duped companies. And this then also explains why the AP has already received 139 notifications by now: after all, it is the responsible party that has to make that notification, i.e. Blauw's customers.
But is Blue indeed only a processor? So the judgment seems to suggest not, because otherwise it should have read a "sub-processor agreement." And I doubt it myself. Blue exhibits behavior of a responsible party in the media. Most illustrative example: an expression that Blauw just wants to continue the relationship with Nebu, despite the potentially largest data leak in the Netherlands ever. Of course, as a processor, Blauw is not at all concerned with that.
If Blue can be seen as responsible, then Blue itself should have reported the leak to the Autoriteit Persoonsgegevens, for example. And, of course, has many other implications for Blue's position. What about liability, for example?
The judgment shows that the interpretation of the processor agreements divides the parties, and thus the extent of Nebu's obligations to Blauw. Blue defends a broad interpretation (hence that laundry list of claims), and Nebu a narrow one. The agreement contains the following understanding:
"In the event of an incident, [Nebu] will (...) follow the instructions issued by [Blue] in respect of this incident. This will enable [Blauw] to carry out a proper investigation into the incident (...). [Nebu] has procedures and protocols in place that enable him to give [Blauw] an immediate response to an incident, and to effectively work with [Blauw] in order to investigate the incident, to respond to it and to deal with it. On [Blue]'s first request, [Nebu] will provide [Blue] with copies of such procedures and protocols."
The court goes along with Blauw in this case. The judge ruled that what is important here is that (i) Nebu - as a result of the cooperation with Blauw - has personal data of 'a substantial part of the Dutch population' at its disposal, and (ii) the consequences may be great. 'This is not compatible with a limited interpretation of the right of instruction,' said the interim relief judge.
The judge largely grants Blue's claims. And I have to be honest: the judge takes a balanced and nuanced approach in this, by, among other things, setting different deadlines and deliberately imposing or not imposing penalty payments. And the orders do not lie. For example, Blue is entitled to know (i) what happened during the cyber-attack (ii) and how and with what methods the system was restored, (iii) which customers' personal data was leaked, (iv) and who the perpetrators of the cyber-attack are. Nebu should also provide internal reports. Furthermore, Nebu must provide new information to Blauw about (i) a new cyber-attack at Nebu, (ii) information showing whether or not data belonging to Blauw and its customers was misappropriated in the earlier cyber-attack, and (iii) information about the identity of the perpetrators of that attack. Finally, on the issue of disclosure, the court orders Nebu to provide Blauw with a daily update in writing at 18:00 Dutch time on: (i) all developments relevant to Blauw regarding the security incident, and (ii) the forensic investigation conducted into the cause and (possible) consequences of the incident.
The judge also goes along with the requested forensic investigation into causation. The judge finds it important here that Nebu cannot indicate whether data of (the customers of) Blauw has been exfiltrated. From this the judge deduces that Nebu, in a period of several weeks, apparently failed to find this out for itself. The court then considered, "Under these circumstances, also in view of the large number of personal data at issue in this matter and in light of the initially limited information provided by Nebu to Blauw, the court in preliminary relief proceedings ranks the claim for the appointment of a forensic investigator under Blauw's right of instruction under Article 5.1 of the DPA." The investigator's report, once completed, must also be provided to Blauw.
With this verdict in hand, Blue has a strong stick to force Nebu to make (more) disclosure. And then it will become clear how Nebu acted. In other words: whether Nebu is to blame. It does look like it. Techzine (3) published on March 31 that Nebu "has not taken security hygiene very seriously", based on - among other things - inspection of Nebu's ISO 27001 certificate. By the way, if Techzine is right about this, I dare to predict that Blue will be in a bad way itself.
To be continued, no doubt. Nebu has already hinted in this regard that it will most likely appeal (4).
Together with Polo van der Putt (Vondst advocaten), Menno Weij teaches the course IT contract drafting and review: the do's and dont's. Curious? Check out more >
1) https://uitspraken.rechtspraak.nl/#!/details?id=ECLI:NL:RBROT:2023:2931
2) https://www.bnr.nl/gemist?date=06-04-2023&time=16-09-45
3) https://www.techzine.nl/nieuws/privacy-compliance/520777/blauw-zorgt-voor-groot-nederlands-datalek-maar-wie-is-de-schuldige/
4) https://www.vpngids.nl/nieuws/blauw-nebu-mogelijk-in-hoger-beroep-tegen-vonnis/
