It was announced today that there has been a major data breach at (among others) Bevolkingsonderzoek Nederland. This is an organization in the Netherlands responsible for carrying out population screening for breast cancer, cervical cancer and colorectal cancer. As part of these screenings, an enormous amount of personal data is processed, including special personal data (such as test results) and sensitive personal data (such as bsn). It has now emerged that data on about 485,000 Dutch women has been stolen via a supplier. This included all kinds of personal data, such as address data, medical data (such as results) and citizen service numbers. The data leak occurred at the laboratory that analyzes smears and self-tests. So now this data has been stolen and, according to news reports, is being offered on the dark web. In response to the news reports, we want to briefly reflect on some things that stand out.
This is of course a terrible event, especially for the victims, where it is not yet easy to assess the concrete consequences. In fact, at the moment, it is still largely unclear exactly what is going on. The Z-CERT, the computer crisis team in the healthcare sector that is called in for such major cyber incidents, came out with a message, in which the director of the Z-CERT stated the following:
"For a full picture of the impact, transparency from suppliers is important. Without additional information from a supplier, we cannot deepen our investigation, determine which institutions are at risk and inform them in a timely manner. AND just as importantly, potential victims do not know they are involved in a data breach."
This quote touches on some important issues that we as privacy lawyers often face. These include transparency from vendors and the duty to inform victims. We begin with the last point.
Indeed, in such data breaches, the victim must be the focus. After all, a data breach can have all sorts of unpleasant consequences. In this particular case, all sorts of negative consequences can occur. For example, victims themselves may face phishing and identity fraud. But it can also be the case that medical data is out on the street, where all kinds of consequences can occur, such as in the professional sphere (for example, it becomes known that someone has a certain form of cancer and therefore someone is not hired) but also in the personal sphere. For this reason, the AVG states that victims, in the event of such extensive data breaches, must be informed of the data breach.
Here, (some) urgency is required in many cases. Indeed, the AVG states that victims must be informed of the data breach "without delay." What "without delay" exactly means differs per data breach. When passwords are leaked, for example, it is important that a message is sent out to victims very quickly so that they can change their password(s).
Because of the potentially large and unpleasant consequences, it is simultaneously important that organizations where the data breach has occurred do so carefully, comprehensively and in an accessible manner. Unfortunately, it is all too common for organizations to try to get away with this easily by providing little information, hoping that this will blow it over. But that's the wrong line of thinking. (Partly) for this reason, the Personal Data Authority recently published guidelines on what should be in a notice to victims. The AP has given 8 recommendations for a good warning notice. You can find these here: How to inform victims about a data breach | Authority for Personal Data
Speed and diligence often do not go hand in hand. The AP therefore indicates that a preliminary warning notice can also be sent first. After the comprehensive investigation, a new warning notice can then be sent.
The coverage of the data breach also shows that speed and diligence can be at odds. In fact, the cyber attack on the laboratory took place between July 3 and July 6. Victims can expect a letter with information in the coming days. So there is over a month in between. That sounds like a very long time, perhaps even too long considering that victims should in principle be informed without delay. That can have all sorts of causes, one of which seems to be an unwilling supplier (at least, so it can be gathered from the Z-CSIRT quote). This is quite problematic. In order to fulfill the information obligation (and other obligations), it is necessary to get all the information to you quickly.
In many cases, however, organizations encounter a vendor that is unreachable or uncooperative. This not only frustrates an organization's own investigation into the data breach, but also ensures that the potential impact of a data breach on victims becomes much greater than necessary. That is why it is important to make very concrete and enforceable agreements about this in your processing agreement with your supplier.
However, the processor agreement often enough does not get the attention it should. After all, it is often an annex to a main agreement that is not looked at until the main agreement has already been agreed upon. Or organizations simply do not consider the processor agreement important enough. As a result, the review often remains superficial and processor agreements remain nebulous in basic and vague terms. Then, when you suddenly need to invoke these vague and basic agreements from your processor agreement, you end up in a discussion about the scope of those terms or the vendor believes they are meeting their obligations. The result is that your organization can't properly investigate the data breach and therefore can't inform victims in a timely and/or complete manner.
In an era of increased digitalization, where cyber attacks are becoming more common and healthcare organizations are also becoming more and more victims of them, it is imperative to give the processor agreement the same attention as the main agreement. Indeed, topics such as the obligation to provide information in the event of a data breach can be designed very concretely by using clear terms or defining terms well, including clear deadlines, and specifically stating what information your organization needs for the investigation. To make this obligation enforceable, you can choose to include certain indemnities regarding these obligations or by including a penalty provision.
Of course, a supplier must also be cooperative during negotiations. If a supplier has its priorities and internal processes in order, in many cases they will be very cooperative. Do you encounter a party that is not accommodating? Then you have to ask yourself whether you want to go into business with them.
A final lesson-learned. The data leak is a poignant example of excessive data access and poor application of privacy-by-design, with far-reaching consequences for those involved and for confidence in healthcare. The question arises why the laboratory where the leak occurred had access to so much directly identifiable personal data. This does not seem to be in line with the principle of data minimization. Moreover, pseudonymization - in which personal data are replaced by a unique code and can only be traced via a separate key - could have been an effective and relatively simple security measure here. When contracting with another party, it is therefore also necessary to make very clear agreements about what personal data this party really needs and what security measures must be taken.
A data breach can happen at any time. The AVG does not require you to prevent a data breach at all. However, you are obliged to have good processes in place and to make good agreements with your suppliers. This ensures that data leaks can be detected quickly, solutions can be found quickly and information obligations can be met quickly. This ensures that the damage to victims is limited as much as possible, and thus also the damage to the organization itself.
