Reporting a data breach

How to deal with cybercrime

Has someone tried to scam you or someone in your company via email, text, or WhatsApp? If you are a victim of cybercrime, it is important that you retain as much evidence as possible (for example a fake invoice) without changing anything. File a police report immediately. With the evidence, the police and the Public Prosecution Service can investigate. Together with statements from others, it might be possible to combine information and provide insight into the way the criminal (organisation) acted. The more information, the greater the chance that the investigation will be successful. The reports also make it possible to recognise new forms of cybercrime and to adapt security software, antivirus programs, and systems. If you are insured against cybercrime and submit a claim for compensation, your insurance company will ask for a copy of the police report.

Report to the police

When you make an appointment to file the police report, ask for the presence of a digital detective. This helps in formulating and including a statement that is as complete as possible. You will be asked for information based on the legal text and therefore on the elements of the criminal offence, such as:

• Is it a declaration against a private individual or a company?
• Have security measures been taken?
• What is the estimated damage (hours in money, immaterial damage, in Dutch) and what are the repair costs?
• Is there a suspect?

If you have discovered a data breach, you always need to report it to the Dutch Data Protection Authority. Even if the breach has not led to a cybercrime yet.

Report to the Dutch Data Protection Authority

You must report all data breaches to the Dutch Data Protection Authority (AP) within 72 hours, using the data leak reporting desk (meldloket datalekken, in Dutch). Reporting is mandatory. If you do not report the data breach, the AP may give your business a fine.

In addition, you may also have to inform the people whose data has been leaked. For example, you employees or customers. It is important that you always report a data breach to the AP, even if you are not sure whether data has actually been leaked. If further investigation shows that no data breach has occurred, this can simply be added to the report.

How do I report a data breach?

To be able to correctly submit a report to the AP, you need to know 3 things:

1. What kind of data breach am I dealing with?

   • Is there a breach of confidentiality and has personal data been disclosed?
   • Is it a breach of integrity and has the data been changed?
   • Or is it a breach of availability and is the data no longer accessible?
2. What data has potentially been leaked?

   If you know which data has been leaked, you can estimate whether the data breach poses a risk to the rights and freedoms of people involved. If there is no risk, you do not have to report the data breach to the people involved. Do not underestimate these risks. Even innocent personal data can be extremely valuable in the wrong hands.

3. What state is the data in?

   Is the personal data encrypted and is the key still secure? Then you do not have to report it, unless this means that you have lost access to the data yourself. If that is the case, you are dealing with a breach of availability. Another example is password leaks. For example, have only the salted hashes (a technique to make decryption more difficult) of passwords been leaked? You do not have to report that. This kind of hashed data leak is not likely to happen.

Depending on your answers to the above questions, you decide whether or not to report. The general rule is that you must report a data breach if there is a risk to the rights and freedoms of the people involved. In practice, it never hurts to report, while failure to report may be a risk.

Report identity theft

If your personal data has been misused (for example, a phone subscription in your name), you can report this to the Central Identity Fraud Disclosure Office (CMI).