Preventing and reporting a data breach
If your business or organisation is dealing with sensitive, protected, or confidential data, handling it with caution is important. After all, there is a chance that this information could intentionally or unintentionally fall into the hands of third parties. As soon as this data is copied, transmitted, viewed, stolen, or used by a person who does not have permission to do so, your business is dealing with a data breach.
What is a data breach?
You have a data breach when cybercriminals gain access to computer files containing personal data from your business, trade secrets, or financial information. It is also a data leak if confidential information is accidentally made public.
A data breach can be caused by:
- A security vulnerability. This allows cybercriminals to gain access to computer files containing personal data, financial information, or trade secrets.
- A business email sent to the wrong address.
- Business laptops and USB sticks that are stolen or lost.
- Discarded business computers, smartphones, and tablets are resold without being wiped clean.
A data breach could mean that you accidentally violate the General Data Protection Regulation (GDPR) and could be fined.
Consider how you handle sensitive data
Many data breaches happen because internal employees handle sensitive data incorrectly. Or they are not aware that the information may be of interest to a third party. Make an inventory of sensitive information and handle it with care. For example, do not share the information with everyone in the organisation. Also, train the staff who work with sensitive data (in Dutch). When an employee is aware of the type of information they are working with and why it is important, they are less likely to make mistakes.
Has your account been taken over by cybercriminals after a data breach? Then read what you need to do to recover your hacked account (in Dutch). Read more about what action to take for various types of hacks.
Tips to prevent a data breach
You do not want your sensitive, protected, or confidential company data to be exposed. Keep company information safe and prevent it from being viewed or made public. Here are some tips for preventing a data breach:
Collecting names, dates of birth, medical, or financial data is made easy by various systems. But do you really need this data? Consider whether the information you collect and store is relevant to your work and business processes.
The use of various systems usually means that information is stored automatically. You may be storing much more sensitive data than you actually need for your work. Consider whether personal data of former customers, payment dates, or login details from the past are useful to store.
Always consider which employees need access to sensitive data. Keep track of which employee has access to which type of information and if they need it to do their work.
If you are dealing with sensitive data, secure it well, and store it in as few places as possible. You reduce the risk of accidental data leaks if you store such information centrally, give employees selective access, and keep track of which information is available to whom. Do not forget to make regular backups and to keep systems up to date.
Even when employees are well trained, mistakes can happen. In addition to strong security measures, you can also use Data Loss Prevention (DLP) software. DLP software detects potential data breaches by monitoring, detecting, and blocking sensitive data. For example, when using DLP software, you can classify and manage critical information. Unauthorised end users cannot accidentally or with malicious intent access or share data with third parties.
Reduce the risk of a data breach with the use of other security measures. For example, regular pen-testing of software, antivirus, and malware protection, strong passwords, and patching. And to keep data breaches to a minimum, it is important that employees are constantly trained and aware of cybersecurity risks.
How do you report a data breach?
Visit the data leak reporting desk (Meldloket Datalekken, in Dutch) to report a data breach. You must report all data breaches to the Dutch Data Protection Authority (AP) within 72 hours. Reporting is mandatory. If you do not report the data breach, the AP may fine your business.
You may also have to inform the people whose data has been leaked. For example, your employees or customers. It is important that you always report a data breach to the AP, even if you are not sure whether data has actually been leaked. If further investigation shows that no data breach has occurred, this can simply be added to the report.
What information do you need to report?
To submit a report to the AP, you need to know 3 things:
- What type of data breach is it?
- Is there a breach of confidentiality and has personal data been disclosed?
- Is it a breach of integrity and has the data been changed?
- Or is it a breach of availability and is the data no longer accessible?
- What data has potentially been leaked?
If you know which data has been leaked, you can estimate whether the data breach poses a risk to the rights and freedoms of the people involved. If there is no risk, you do not have to report the data breach to the people involved. But do not underestimate these risks. Even innocent personal data can be extremely valuable in the wrong hands.
- What state is the data in?
Is the personal data encrypted and is the key still secure? Then you do not have to report it, unless this means that you have lost access to the data yourself. If that is the case, you are dealing with a breach of availability. Another example is password leaks. For example, have only the hashed passwords (a technique to make decryption more difficult) of passwords been leaked? You do not have to report that. However, it is rare for only this type of hashed data to be leaked.
Depending on your answers to the above questions, you decide whether or not to report. The general rule is that you must report a data breach if there is a risk to the rights and freedoms of the people involved.
Were login details from your business leaked in a data breach?
It is possible that your data has been stolen or leaked in the past. That makes your business an easier target for phishing or online fraud. Always take precautions. The steps to take if your data has been leaked depend on what data has been leaked. For example, are your login details in a data leak? Then take these steps:
Verify through official channels with the ‘leaking’ business whether your data was actually leaked and, if so, what data was leaked. If your personal data has been misused (for example, a phone subscription in your name), you can report this to the Central Identity Fraud Disclosure Office (CMI). If your personal data has not yet been misused, you do not have to report to the CMI. Has a copy of your identity document been leaked? Then you may want to consider applying for a new identity document from your municipality.
If your login details have been leaked, quickly change your password for this company account. If you also use this password for other accounts, you should change it there too. In future, never use the same password for different accounts. This is because cybercriminals use the captured login details from data breaches on other accounts in the hope that you have reused your passwords.
Inthe period after the data breach, cybercriminals may try to use the captured personal details or data to make phishing emails, attempt helpdesk fraud, or make their invoice fraud more convincing. Be extra alert to this.