As we write this, it is now four months since the new data breach notification law in the Netherlands went into effect. Since 1 January 2016, data controllers are obliged to notify the Dutch data protection authority (DPA) and individuals if the security of personal data has been compromised. The new Dutch law requires:
- The Dutch DPA must be notified where there is a considerable likelihood of the breach having serious adverse effects on the privacy of the affected individuals. This is a higher threshold than provided for under the GDPR, where the DPA must be notified of a breach, unless it is unlikely to result in a risk to the privacy of individuals.
- Individuals must be notified if such a breach has a considerable likelihood of adversely affecting the privacy of the individual. This seems to be a lower threshold than provided for under the GDPR, where individuals must be notified directly if a breach is likely to result in a high risk to the privacy of the individuals.
An evaluation of the number and nature of the notifications made to the DPA under the new requirements in the Netherlands can therefore be indicative of what the DPAs of other member states can at a minimum expect when the GDPR comes into force in 2018 (in particular because the GDPR provides for a lower threshold for notification to the DPA than the Dutch law). We note that, with regard to notification to individuals directly, an evaluation of the Dutch numbers will be less indicative because the GDPR provides for a higher threshold before notification to individuals is required.
At a speech during the International NCSC One Conference on 5 April 2016, a representative of the Dutch DPA indicated that in the first 100 days it received more than 1,000 breach notifications under the new data breach notification law. By early May, we heard that the number has now already surpassed 1,500. Extrapolating these numbers would result in a total of 4,200 notifications to the DPA per year. The DPA also indicated that it is not surprised by this number, as there are more than 130,000 organizations in the Netherlands that would be subject to the new notification requirements.
[quote]In fact, the Dutch DPA suspects that there probably were more breaches than were reported.[/quote]
In fact, it suspects that there probably were more breaches than were reported.
On 30 December 2015 (therefore just prior to the new Dutch notification requirements coming into force), Dutch Data Protection Commissioner Jacob Kohnstamm gave a radio interview where he expressed his concerns regarding an expected capacity shortage to deal with the notifications.
According to Kohnstamm, the Ministry of Justice first estimated it would receive 60,000 reports annually. An estimate that was later adjusted to 6,000 notifications, without going into detail how or why the Ministry reached that conclusion. Kohnstamm responded by referring to the introduction of data breach notification in the United Kingdom, where the Information Commissioner’s Office (ICO) was overwhelmed in the first few weeks by an enormous stream of notifications. He stated that the Dutch DPA had implemented a software package to prevent such a scenario. This software operates with a funnel mechanism to separate the notifications that require action from the DPA from those that do not require action by the DPA. He stated that the software signals which notifications do not require action (because no harm can come from it). These notifications are then archived for future reference. Notifications that require further investigation, for instance due to careless behavior of the organization reporting the breach or because the individuals must be notified, are separated for further handling.
At the International NCSC One Conference, the representative of the Dutch DPA, however, indicated that from the effective date it reviewed all of the notifications it has received, mainly to get an idea of what has been reported.
Is the reported number of (by now) 1.500 notifications really not surprising (and even at the low end of what should be reported)? As indicated, the threshold for notification is higher than it will be under the GDPR. Fifteen-hundred notifications in 130 days amounts to about 11.5 notifications every day, including on weekends. This seems an extremely high number for a DPA to review and potentially take enforcement action on, and the Netherlands is a relatively small country. If this number is indicative of the number of notifications under the GDPR (which it is because the threshold under the GDPR is lower and notification requirements will be more easily triggered), larger European countries may be in for a surprise.
[quote]As a comparison, in the U.K., data breach notification is part mandatory and part voluntary.[/quote]
As a comparison, in the U.K., data breach notification is part mandatory and part voluntary. For the health and telecommunications sector, specific legislation requires notification of the U.K. ICO; for other sectors, voluntary reporting to the ICO is recommended for “serious breaches.” Over the first three months of 2016, the ICO has received reports of a total of 450 breaches.
Since the effective date of the new law, the Dutch DPA has reviewed all of the notifications it has received, mainly to get an idea of what has been reported. It classified the notifications in roughly the following categories of reports:
- The loss of unencrypted devices (laptops, USB sticks, mobile phones).
- Insecure disposal of information, such as wage and salary information disposed of in rubbish containers.
- Insecure transfer of information, such as transfer of medical data through unsecured lines.
- Malicious actors accessing databases and encrypting the data for a ransom (cryptowall ransomware).
It is noteworthy that in roughly three out of the four categories, a breach is related to inadvertent disclosures by the company and only one category pertains to information having been obtained maliciously by a third party. Some of the breaches may have been prevented if companies would have instituted more rigorous data security practices, more automated tools to prevent data leakage or more training.
It is the DPAs’ and the legislators’ hope that the new notification requirements will increase awareness and result in companies stepping up their security. That said, no matter how good a company’s policies, procedures and training program are, mistakes still happen and malicious actors still continue to be successful.
The Dutch DPA has reported that in approximately two‑thirds of all reports that it received there have been reasons to examine the situations more carefully or open investigations. The DPA reported that subsequent action has been taken against “about 70 organisations.” In some cases, the DPA asked for additional reports, in other cases it informed organisations that they need to notify the involved individuals because the breach concerns “sensitive information” (in which case, the adverse effect on individuals is more or less assumed). Note that the Dutch DPA has issued guidance that provides for a list of examples of data that are considered sensitive, which includes the “special categories” of data (such as data about health, race, and political opinions), but also:
- Data about the financial or economic situation of the data subject (debts, salary, payments details etc.).
- Data that may lead to stigmatisation or exclusion of the person concerned.
- User names, passwords, and other login details.
- Data that can be misused for (identity) fraud.
Although the DPA did not state what kind of follow-up action it has taken, it did provide insight on the workload that the notifications are creating for the DPA. The DPA has not reported on the number of cases where the DPA advised a company to also notify affected individuals. It will be interesting to evaluate the notifications again, if these numbers become available.
Based on the foregoing, European DPAs should be prepared and equipped with sufficient capacity and resources to follow up, investigate, and enforce large numbers of breach notifications because, if they aren’t ready, they risk undermining the legitimacy of the breach notification rules altogether.
Moreover, as the thresholds for notification under Dutch law differ from those under the GDPR, it is important that DPAs across Europe be consistent and aligned on when they expect to be notified about a breach, as well as when individuals are required to be notified. In that respect, the continuing experiences of the Dutch DPA and the ICO with their respective breach notification requirements and guidance will provide valuable input and lessons learned for the impending effective date of the GDPR.