Preventing and reporting a data breach
You are obliged to protect the data you hold on customers and business partners. For example, against a data breach. Read how to prevent a data breach. And what to do in case of a data breach in your business.
What is a data breach?
You have a data breach when cybercriminals gain access to computer files containing personal data from your business, trade secrets, or financial information. It is also a data leak if confidential information is accidentally made public.
A data breach can be caused by:
- A business email sent to the wrong address.
- Business laptops and USB sticks that are stolen or lost.
- Discarded business computers, smartphones, and tablets are resold without being wiped clean.
A business digital account is hacked, allowing a cybercriminal to access all data
A data breach could mean that you accidentally violate the General Data Protection Regulation (GDPR) and could be fined.
Dangers of a data breach
There can be serious consequences when confidential information falls into the wrong hands. For instance, cybercriminals can more easily commit online fraud with your customers' personal data. They can also send more targeted phishing emails to victims of a data breach.
Cybercriminals can use leaked passwords to try and log in on different platforms. Advise your customers to change their passwords after a data breach.
Find more information about cybersecurity and preventing cybercrime.
Tips to prevent a data breach
You do not want your sensitive, protected, or confidential company data to be exposed. Keep company information safe and prevent it from being viewed or made public. Here are some tips for preventing a data breach:
Collecting names, dates of birth, medical, or financial data is made easy by various systems. But do you really need this data? Consider whether the information you collect and store is relevant to your work and business processes.
The use of various systems usually means that information is stored automatically. You may be storing much more sensitive data than you actually need for your work. Consider whether personal data of former customers, payment dates, or login details from the past are useful to store.
Always consider which employees need access to sensitive data. Keep track of which employee has access to which type of information and if they need it to do their work. Make agreements with these employees about how they handle sensitive data.
If you are dealing with sensitive data, secure it well, and store it in as few places as possible. You reduce the risk of accidental data leaks if you store such information centrally, give employees selective access, and keep track of which information is available to whom. Do not forget to make regular backups and to keep systems up to date.
Even when employees are well trained, mistakes can happen. In addition to strong security measures, you can also use Data Loss Prevention (DLP) software. DLP software detects potential data breaches by monitoring, detecting, and blocking sensitive data. For example, when using DLP software, you can classify and manage critical information. Unauthorised end users cannot accidentally or with malicious intent access or share data with third parties.
Reduce the risk of a data breach with the use of other security measures. For example, regular pen-testing of software, antivirus, and malware protection, strong passwords, and patching. And to keep data breaches to a minimum, it is important that employees are constantly trained and aware of cybersecurity risks.
How do you report a data breach?
Visit the data leak reporting desk (Meldloket Datalekken, in Dutch) to report a data breach. You must report all data breaches to the Dutch Data Protection Authority (AP) within 72 hours. Reporting is mandatory. If you do not report the data breach, the AP may fine your business.
You may also have to inform the people whose data has been leaked. For example, your employees or customers. It is important that you always report a data breach to the AP, even if you are not sure whether data has actually been leaked. If further investigation shows that no data breach has occurred, this can simply be added to the report.
What information do you need to report?
To submit a report to the AP, you need to know 3 things:
- What type of data breach is it?
- Is there a breach of confidentiality and has personal data been disclosed?
- Is it a breach of integrity and has the data been changed?
- Or is it a breach of availability and is the data no longer accessible?
- What data has potentially been leaked?
If you know which data has been leaked, you can estimate whether the data breach poses a risk to the rights and freedoms of the people involved. If there is no risk, you do not have to report the data breach to the people involved. But do not underestimate these risks. Even innocent personal data can be extremely valuable in the wrong hands.
- What state is the data in?
Is the personal data encrypted and is the key still secure? Then you do not have to report it, unless this means that you have lost access to the data yourself. If that is the case, you are dealing with a breach of availability. Another example is password leaks. For example, have only the hashed passwords (a technique to make decryption more difficult) of passwords been leaked? You do not have to report that. However, it is rare for only this type of hashed data to be leaked.
Depending on your answers to the above questions, you decide whether or not to report. The general rule is that you must report a data breach if there is a risk to the rights and freedoms of the people involved.
Were login details from your business leaked in a data breach?
It is possible that your data has been stolen or leaked in the past. That makes your business an easier target for phishing or online fraud. Always take precautions. The steps to take if your data has been leaked depend on what data has been leaked. For example, are your login details in a data leak? Then take these steps:
Verify through official channels with the ‘leaking’ business whether your data was actually leaked and, if so, what data was leaked. If your personal data has been misused (for example, a phone subscription in your name), you can report this to the Central Identity Fraud Disclosure Office (CMI). If your personal data has not yet been misused, you do not have to report to the CMI. Has a copy of your identity document been leaked? Then you may want to consider applying for a new identity document from your municipality.
If your login details have been leaked, quickly change your password for this company account. If you also use this password for other accounts, you should change it there too. In future, never use the same password for different accounts. This is because cybercriminals use the captured login details from data breaches on other accounts in the hope that you have reused your passwords.
In the period after the data breach, cybercriminals may try to use the captured personal details or data to make phishing emails, attempt helpdesk fraud, or make their invoice fraud more convincing. Be extra alert to this.
Recognising a data breach
There are things that can indicate a data breach. These include:
- suspicious login activity
- strange file changes
- unexpected appearance of unknown files
- documents containing sensitive information getting lost
- files deleted by someone who does not have permission to do so
- unusual administrator activities
- notifications from your anti-virus software about suspicious network traffic or suspicious software
Tell employees about the risk of data breaches
It is important that your employees understan the risk of a data breach. A data breach can happen accidentally. For example, because sensitive information has been sent to the wrong email address. Make sure employees know what to do if data has been leaked.