The processing of personal data of customers and users of your website or digital services is not without risk. While these data are essential for invoicing, client service, marketing and innovation, they can also be attractive assets for cybercriminals. As well as financial data such as codes for bank accounts, cybercriminals are also frequently looking for sensitive data concerning health, family situation or sexual preferences. Consequently, the hacking of data is a serious threat to any business today.
Major cyberattacks (such as the WannaCry ransomware attack) show that effective and powerful cybersecurity is a necessity for your company. On this point, the advice is clear: you need to protect and shield personal data effectively. But what should you do if cybercriminals succeed in piercing through the security wall and gain access to these data? Should you inform the customers and users directly or indirectly? And the authorities? With the GDPR, there are substantial changes ahead.
Notification: currently no obligation except for telecom operators
Currently, only telecom operators are under a legal obligation to inform authorities of a cyberincident. These operators are required to inform the Institute for Electronic Communication (BIPT) within 24 hours after an incident and to provide a detailed report within 72 hours. This only applies where the incident has a significant impact on the operation and security of the telecom network or services.
For other players, it is possible to report a data leak to the Privacy Commission – soon becoming the Data Protection Authority – but there is no obligation to do so. As such, reporting is at the discretion of the company. Official reports show that data leaks are only reported in exceptional cases. The security breach at Yahoo! in 2013 shows that the decision not to communicate about major data leaks may harm the reputation and even the value of a company. When the media did finally uncover the leak, the shares of the company took a tumble, and Verizon was able to acquire Yahoo! at a price USD 350 million lower than the initial offer. The business case whether or not to communicate should therefore be considered with care.
While there is at present no legal obligation to inform the user, companies should be aware that a customer could ask for compensation to the extent that he/she can substantiate that the company did not act diligently (e.g. by providing no security or dysfunctional security and/or providing no information or inadequate information about data losses) and that the breach resulted in damage. So far, no such case has been brought before the Belgian courts.
Coming soon: obligation to report a security breach
When the GDPR comes into force on 25 May 2018, there will be a general obligation to report security breaches. The regulation imposes a general notification obligation on the controller of personal data in the event of data breaches.
According to the regulation, a data breach is any breach of security that inadvertently or unlawfully leads to the destruction, loss, modification or unauthorised disclosure of or unauthorised access to data transmitted, stored or otherwise processed (Article 4.12 GDPR). As such, there is not only a duty to report the loss of data in the case of hacking, but also any unintended loss of data by the company itself. Research shows that the vast majority of data leaks are accidental and attributable to the data controller.
First, there will be an obligation to report a data breach to the central reporting point for data leaks, which will operate under the control of the Data Protection Authority. No such obligation will exist if it is unlikely that a data breach poses a risk to the rights and freedoms of the individual. Otherwise, the data controller must report the data leak to the data protection authority within 72 hours, providing the following information (Article 33 GDPR):
- the nature of the infringement, the number of persons involved and the categories of persons involved;
- the nature of the leaked personal data (e.g. financial data such as the code of a credit card);
- the likely impact of the infringement (e.g. financial fraud);
- the contact details of the data protection officer (DPO) or another contact person from whom further information can be obtained; and
- the measures which the data controller took to limit, prevent or remedy the infringements (this information can be communicated later).
Secondly, the data controller must also inform the person whose personal data have been leaked, if there is a high risk of the infringement of his/her rights and freedoms. This means that the supervisory authority will have to be informed more often than the data subjects concerned will have to be informed.
The overarching body of the supervisory authorities within the European Union, the " Article 29 Working Party" (WP29), has produced further guidelines for the assessment of this risk (Guidelines on Personal data breach notification under Regulation 2016/679). The assessment of the risk of an infringement depends, among other things, on the sensitivity of the leaked data (e.g. data on health in relation to the age of the person), the context of the data leak (hacking or not) and the possible use of these data.
Transposition of the notification requirement in Belgium
The Belgian legislator is currently further specifying this reporting obligation. The Government has already announced that there will be a central reporting point for data leaks, operating under the control of the Data Protection Authority, to which the data controller will have to report the data breach. This hotline will coordinate the responses to the leak. There will be heavy fines for failure to report when reporting is required. These can be imposed on top of penalties for defective security of personal data.
We note that the European Union's NIS Directive contains an even stricter additional reporting obligation for companies and institutions offering "essential services". These include companies that provide services concerning energy, transport, banking, infrastructure for the financial market, health care, the supply and distribution of drinking water and digital infrastructure. They must immediately report any cyberincident with significant consequences for the continuity of the essential services they provide to the (yet to be established) national computer security incident response teams. This directive must also be implemented by May 2018.
Should you report it to the police?
Breaking into the system, causing damage and stealing, altering or destroying data are all punishable. As a result, hacking is punishable, even if there was no financial motive. This also applies to DDOS attacks for purely political reasons – or just for kicks. The Belgian legislator has formulated cybercrime infringements in broad terms. Thus, almost any disadvantageous action in relation to an IT network is included.
The decision whether or not to report a cyberincident to the police could be in line with a company policy of following up on every criminal offence by lodging a formal complaint. Based on our experience in practice, we would recommend also taking into account the chances of success of such a complaint on the basis of the type of attack, the information available and the origin of the attack, as well as the financial, material or reputational damage.
Moreover, if the infringement constitutes a criminal offence, the inspection service of the Data Protection Authority will also be able to inform the public prosecutor. As a result, the notification obligation may also lead to the opening of a criminal investigation, regardless of the intention of the data controller or the person whose data have been leaked.
Official police statistics show that the number of reported cybercrime offences has risen sharply in recent years. Cybercrime has been a priority for both the police and the judiciary for several years now. However, these figures reflect only a fraction of the estimated volume of cybercrime activities. Moreover, only a small proportion of these declarations actually lead to prosecution. This is due to the fact that, in most cases, insufficient information is available, the attackers have made use of technical means to go unnoticed or cannot be identified, or that they planned and performed their attack from a country which does not cooperate with other states on cybercrime. Filing an official complaint concerning a cyberattack is therefore no guarantee of finding the perpetrators or obtaining compensation for the damage.
Whatever choices you make, in order to keep the option for such complaints and prosecutions open, your company's IT services need to have an emergency procedure in place for collecting as much information as possible about any cyberattack and an action plan to limit the possible damage.