Category: Data Breach

The new Dutch data breach notification obligation: 1.500 notifications in 2016

17. May 2016

From the 1st January 2016, data controllers located in The Netherlands are obliged to notify serious data breaches according to the Amendment made to Art. 34 of the current Dutch Data Protection Act. This obligation implies:

  • Notifying the Dutch DPA in the cases where there is a considerable probability that the breach hast serious adverse effects on the privacy if the affected individuals; and
  • Notifying the data subjects affected if there is a considerable probability that the privacy of the data subject is negatively affected.

According to a representative of the Dutch DPA, already 1.500 data breach notifications have been received since the new rule entered into force. This is not surprising for the Dutch DPA, as currently more than 130.000 organizations located in the Netherlands are subject to the data breach notification obligation. However, the Dutch DPA suspects that the number of occurred data breaches is actually higher.

In order to review the notifications, the Dutch DPA has implemented a software that separates the notifications that require action from the DPA from those that do not require additional action. The ones that do not require additional action are archived for future references, while the formers are further examined by the Dutch DPA. Nevertheless, the DPA has examined all received notifications, in order to identify the main sources of data breaches, which result to be based on one of the following reasons:

  • Loss of devices that were not encrypted; or
  • Disposal of information without observing adequate security measures, such as the use of a shredder or the disposal in locked containers; or
  • Insecure transfer of information, especially related to sensitive data; or
  • The access by unauthorized third parties to data bases and personal data.

This shows that most of data breaches occur because organizations do not implement adequate technical and organizational security measures or they do not follow the existing obligations regarding IT security and data protection, or employees are not trained in theses aspects.

Moreover, two-thirds of the reports were subject to a further investigation by the Dutch DPA and actions have been already taken against around 70 organizations. Also, in some cases additional information was required from the organization or the individuals had to be notified about the data breach. Information to data subjects is required if sensitive personal data is affected by the breach, the Dutch DPA has enumerated some of the data categories that are included in the definition of sensitive personal data: financial information, data that may lead to an stigmatization or exclusion of the data subject, user names, passwords or data that can be misused for identity fraud.

The new GDPR also regulates the obligation to notify data breaches. According to the Regulation, the DPA should be always notified, unless it is unlikely that the breach results in a risk for the privacy of data subjects. Furthermore, data subjects should be directly notified if the breach could result in a high risk for their privacy, so that the regulation of data breaches in the GDPR is stricter than that in The Netherlands regarding the notification to data subjects.

 

Category: Data Breach · The Netherlands
Tags: , ,

Serious data breach in HIV clinic in London

11. May 2016

A clinic in London has been fined 180.000 GBP due to a “serious data breach”. The clinic offered a service to HIV-patients in order to receive newsletters and test results as well as make appointments via email. It sent an email newsletter to 781 of its patients with all patient emailaddresses in the “To” field and not in the “Bcc” field. 730 of the emailaddresses included the full names of the patients. The newsletter was used to inform the patients about sexual health services and general treatment details. The Information Commissioner´s Office (ICO) said, “the breach caused a great deal of upset to the people affected”. Information about the health or sexual life of a person is considered to be sensitive personal data and should be protected specifically. Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, has been fined 180.000 GBP. The responsible ICO investigation trust discovered, that a similar error had happened already in March 2010. Although some remedial measures were taken at that time, no specific training had taken place since then.

Category: Data Breach · EU · General
Tags: ,

Spotify denies having suffered a data breach

29. April 2016

During this week credential data from hundreds of Spotify users was posted on the internet. This data includes country of registration, user name, password and type of account.

However, Spotify denied having suffered a data security breach. Furthermore, a company spokesman stated that they monitor certain websites regularly in order to find out if user credentials have been stolen and check if these credentials are authentic. If so, they inform the user and request a password change. Despite the statement of the spokesman, several users confirmed that their playlists had been accessed and their passwords and associated e-mails changed.

Spotify has suffered during the last years several hacker attacks. The last occurred in November 2015 and also user data was made public. Regarding the data posted online this week, the company states that it could affect data related to previous hack attacks.

Category: Data Breach · General
Tags:
Pages: Prev 1 2 3 4 5 6 7 8 9 10 11
1 9 10 11