Preventing and reporting a data breach
You are obliged to protect the data you hold on customers and business If your business or organisation deals with sensitive, protected or confidential data, it is important to handle this data with care. There is a chance that this information could fall into the hands of third parties, either intentionally or unintentionally. As soon as such data is copied, sent, viewed, stolen or used by a person who does not have permission to do so, you are dealing with a data breach.
How does a data breach happen?
A data breach can be caused by:
- a security issue that allows cybercriminals to access business computer files containing personal data, financial information, or trade secrets.
- A business email sent to the wrong address.
- Discarded business computers, smartphones, and tablets are resold without being wiped clean.
Tips to prevent a data breach
You do not want your sensitive, protected, or confidential company data to be exposed. Keep company information safe and prevent it from being viewed or made public. Here are some tips for preventing a data breach:
Collecting names, dates of birth, medical, or financial data is made easy by various systems. But do you really need this data? Consider whether the information you collect and store is relevant to your work and business processes.
The use of various systems usually means that information is stored automatically. You may be storing much more sensitive data than you actually need for your work. Consider whether personal data of former customers, payment dates, or login details from the past are useful to store.
Always consider which employees need access to sensitive data. Keep track of which employee has access to which type of information and if they need it to do their work. Make agreements with these employees about how they handle sensitive data.
If you are dealing with sensitive data, secure it well, and store it in as few places as possible. You reduce the risk of accidental data leaks if you store such information centrally, give employees selective access, and keep track of which information is available to whom. Do not forget to make regular backups and to keep systems up to date.
Even when employees are well trained, mistakes can happen. In addition to strong security measures, you can also use Data Loss Prevention (DLP) software. DLP software detects potential data breaches by monitoring, detecting, and blocking sensitive data. For example, when using DLP software, you can classify and manage critical information. Unauthorised end users cannot accidentally or with malicious intent access or share data with third parties.
- Hard drive encryption: Encrypt all data on a laptop's hard drive. This makes it difficult for thieves to view or disclose the data.
- Two-step verification: Log in using two-step verification or two-factor authentication. This means that, in addition to a username and password, an extra step must be taken to log in successfully. This can be done using a hardware or software token. The latter can be done via an app on a smartphone, for example.
- Mobile Device Management: this allows you to remotely block a mobile device and delete data if necessary. There are various options depending on the type and brand of equipment.
- Draw up a policy: Agree that data will not be stored locally on laptops and other devices. Try to enforce this as much as possible technically by means of network and machine policies. Use existing Secure Cloud Storage providers for data storage (with two-step verification login, of course).
Reporting a data breach
The obligation to report data breaches is included in the GDPR. If you have detected a data breach, go to the data leak reporting desk (Meldloket Datalekken, in Dutch) of the Dutch Data Protection Authority (Authoriteit persoonsgegevens, AP). You must report it within 72 hours. If you do not report the data breach, the AP may fine your business.
In addition, you may also need to inform the individuals whose data has been breached. It is important to always report a data breach to the AP, even if you are not sure whether it is a data breach.
How do you report a data breach?
To submit a report to the AP, you need to know 3 things:
- Is there a breach of confidentiality and has personal data been disclosed?
- Is it a breach of integrity and has the data been changed?
- Or is it a breach of availability and is the data no longer accessible?
If you know which data has been leaked, you can estimate whether the data breach poses a risk to the rights and freedoms of the people involved. If there is no risk, you do not have to report the data breach to the people involved. But do not underestimate these risks. Even innocent personal data can be extremely valuable in the wrong hands.
Is the personal data encrypted and is the key still secure? Then you do not have to report it, unless this means that you have lost access to the data yourself. If that is the case, you are dealing with a breach of availability. Another example is password leaks. For example, have only the hashed passwords (a technique to make decryption more difficult) of passwords been leaked? You do not have to report that. However, it is rare for only this type of hashed data to be leaked.
Depending on your answers to the above questions, you decide whether or not to report. The general rule is that you must report a data breach if there is a risk to the rights and freedoms of the people involved.
Are you still unsure whether or not you should report a data breach? The Dutch Data Protection Authority has a detailed explanation (in Dutch), with more examples. Please also read the guidelines published on the reporting obligation.