Data Blog #6. Data Breaches and Notifications


A data breach constitutes the viewing and stealing of, or access to, sensitive data by people that are not authorized to do so. This can happen either through hacking, or due to negligence or inadequate protection of data. You can find an awesome interactive overview of the world’s biggest data breaches over time on this website. What you can see is that the number of large data breaches has increased significantly the past couple of years. This is in part due to the fact that there simply is more data worth hacking or more data that can be breached. At the EU level we have the European Commission Regulation 611/2013 concerning the notification of data breaches in the telecommunications industry. The new Data Protection Regulation (that will enter into force around 2017) includes a section on data breach notification requirements, this time for a wider number of sectors and companies. With the new regulation, data controllers have to report a data breach within 24 hours after it has been discovered. In fact, the right to know when your data has been breached is actually considered a ‘fundamental right for citizens’ in the new Data Protection Regulation. Although large companies (irrespective of the sector they are active in) have to notify every breach of data, Small and Medium sized Enterprises only have to do so in case there is a high risk for the infringement of an EU citizen’s rights and freedoms.

But why are data breaches such a big deal? The past couple of years the main victims of large data breaches in the form of hacking have been healthcare and financial organizations and corporations. You can imagine that if unauthorized persons are able to access your medical records, your financial details or anything else that is being extrapolated and stored by such companies, the implications can be large. Think identity theft or loss of sensitive information due to improper protection. Each can have serious consequences for the individuals involved. Even though Big Data has a lot of advantages, there definitely is a dark side to the story as well.

As of the first of January 2016 a new law entered into force requiring Dutch companies to notify competent authorities whenever there has been a significant data breach (‘Meldplicht Datalekken’). This refers data breaches that can have serious negative effects with regards to the protection of personal data. Whether or not this is the case is up to the data controller to decide. However, in order to ensure that data controllers will actually fulfill this duty, the competent authority regarding data security now has the right to set significant fines. A reluctance to notify, inaccurate data protection or any other breach of data protection laws can result in massive fines. The goal of the new law is to encourage improvements in data protection and subsequent increased transparency towards the consumer/ individual. At the moment the Dutch laws and obligations are stricter than those under EU law, but the implementation of the Data Protection Regulation will smoothen that out.

How does S2M do it? S2M is a company incorporated in the Netherlands. We don’t own any physical data storage centers and so all our data is stored with third parties, either in the Netherlands or in Ireland. The question then becomes; who is responsible for notifying a breach in data? S2M or the data storage center? And what about the data stored in Ireland? First of all, if data is stored with third parties it is up to the original owner of the data (in our case S2M) to ensure that the third party adheres to the rules and regulations required by the new data breach notification requirement. It is the task of S2M to make sure that the third party notifies S2M as soon as possible in case of a breach. Depending on the arrangements made with the third party, it is either the third party or S2M who is required to notify the competent authority. However, in either situation S2M is the responsible party and can be held liable in case of a breach (not the third party). The geographical location in which the third party data center is located is not important. Whether the data center is located in Ireland or the Netherlands; a data breach of S2M data has to be notified to the competent Dutch authorities according to Dutch law. S2M is the party responsible and liable in case this is not done properly. Additionally, we are also responsible to ensure that the third party data centers abroad notify their national competent authorities in case of a data breach.. All in all; if there is a breach of sensitive information which could possibly negatively affect you, you are sure to find out. For the Dutch speakers amongst us, some more information on the new rules here.