My employee has caused a data breach, what now?
Data breaches in the news
Since launching the data breach notification laws on January 1st, 2016, the data protection watchdog of the Netherlands (Autoriteit Persoonsgegevens, AP) has received thousands of data breach notifications. In today’s digital world, companies are exposed to the major risk of employees who could cause such data breach. An e-mail to the wrong person is sent before you know it and reality shows that not all employees are rather careful with their login credentials.
What is a data breach?
A data breach is a violation to the security of personal or confidential data. This personal data is exposed to a loss or unlawful processing. In the Data Protection Act (Wet bescherming persoonsgegevens, Wbp), a breach of security of the protection of personal data is considered if ‘there is a considerable chance of negative consequences or negative consequences for the protection of personal data’. A data breach concerns, roughly, access to, or deleting, changing or releasing personal data within an undertaking without the intention to do so. Besides ‘leaking’ data, ‘alleged unlawful’ processing of personal data is considered a data breach. Overall, the definition of a breach in security is rather broad.
Who should be notified?
When a data breach is considered in accordance to the Wbp by a private or public undertaking, one should consider whether the breach should be notified at the AP as not every data breach has to be notified. A notification to the AP has to be made if there is a serious chance of negative consequences for the protection of personal data. Also depending on this matter, one should consider whether to notify the AP or not. If sensitive data is leaked, the consequences for the protection of personal data could be rather severe. As a result, one should give a notification in this case. Sensitive personal data includes someone’s data on religion, race or health for example. Also data on someone’s financial situation can qualify as sensitive data.
If no sensitive personal data is leaked and the scale and impact of the breach are unlikely to have negative consequences, it is not necessary to notify the breach at the AP. The AP has provided some examples of cases in which a data breach should be notified:
- An employee loses a laptop with unencrypted, financial customer data
- As a result of a malfunction in a hospital, there are some signs that medical data has been seen by unauthorized people
- An employee from an internet provider has given his login credentials to a third-party that has unlimited access to all customer data as a result
The notification has to be done without unnecessary delay and preferably not later than 72 hours after the discovery of the data breach. The AP can fine undertakings who violate the Wbp up to €820,000 . A telecom undertaking that does not notify a data breach can have a maximum fine of €900,000.
In some cases, the concerning parties also have to be notified of the data breach. Also in these cases, an evaluation has to be made. Summarized, one can conclude that if no to limited security measures are taken to not notify the AP and the data breach is likely to have negative consequences on the personal matters of the concerned breached person, this person should be notified. For example, if an employee from an insurer has provided his login credentials to a third-party that has unlimited access to all customer data as a result, this data breach has to be notified to the concerned people that are being breached. One can opt to not notify if serious reasons to not notify are in place.
One can never fully prevent a data breach (by an employee) though it is advisable to create some consciousness on this topic within the firm. Make sure that all your employees are aware of the risks of processing personal data. Not only measures on an organizational level have to be taken, but also some measures on a technical level should be taken to prevent a data breach. The IT environment of a company has to comply with the requirements of the Wbp. In an undertaking where lots of e-mails are sent daily, one should consider to use so-called delayed e-mails. If an employee founds out he sent the e-mail to the wrong person, he still has a possibility to cancel the outgoing e-mail and thus preventing a possible data breach. Also, we would advise to include a specific line in someone’s employment contract, in which the employee is obliged to notify a data breach and risks a fine if he doesn’t.
If you may have questions on this topic or if you need help on setting up a specific line in someone’s employment contract, please contact mr. Alexander Briejer and mr. Bob de Bruijn from our Labor Law section.