How to prevent a data breach

What is a data breach?

In a data breach, personal data falls into the hands of people who should not have access to that data. Think name, address, and phone number. A data leak occurs because of a security problem or because someone acts carelessly. For example, an employee leaving a flash drive with customer data on the train. Or personal data is stored unsecured on a computer server.

Dangers

In the event of a data breach, your company may suffer reputational damage. Nobody likes to tell customers or suppliers that their personal data is on the street. The consequences are also potentially serious for the victims. Criminals misuse their leaked personal data for phishing and identity fraud (in Dutch), for example.

A data leak is common, both in large and small companies. Serious data leaks must be reported to the Personal Data Authority (AP) within 72 hours, otherwise you may be fined.

Discover the leak

A data leak happens very quickly. A mistake is easy to make. It certainly does not just happen to big companies. For example, you lose your laptop or you accidentally email sensitive information to the wrong person. Then you already have a data leak.

You often only discover a data leak due to a security problem when performing checks. You may then have been leaking data for a long time. So, pay attention to the following issues:

• Regularly check the logs of your IT systems. Has data changed or disappeared unexpectedly? Are there any suspicious login attempts on accounts? With a logbook, you know who is in your network at what time. And what they are doing there. You can buy software that allows you to install a logbook.
• Be alert to customers, suppliers and other business contacts complaining about phishing or other scam attempts.
• Check notifications from your antivirus software or firewall. Is there any suspicious network traffic? Is suspicious software active?

Are you not sure? Speak to your IT administrator or ask a cybersecurity specialist for advice.

Protect personal data

With a few measures, you can prevent your own and your customers' personal data from falling into the wrong hands. For example, take the following actions:

1. Discuss regularly with colleagues – say, once a year – how data is processed in your company. Send your data securely.
2. Make sure you are well-versed in the GDPR, which covers the handling of personal data.
3. Do not give out passwords, customer data, and access to your systems to third parties, such as self-employed professionals you hire or suppliers.
4. Will a third party be processing personal data for your company? Then make sure you have a data-processing agreement (in Dutch). Are you self-employed? Then check for each new assignment whether you will be working with your client's personal data. If so, you must enter into a non-disclosure agreement with them.
5. Tell customers what data you are collecting and for what purpose. And give them the opportunity to opt out or to stop their data from being collected.
6. Invest in good IT security for your laptop, computer, phone, and mobile devices. For example, use strong passwords or two-factor authentication. Also, discuss your security once a year with a cybersecurity expert.

What to do in case of a data breach

Take the following steps if you have a data breach:

1. Check if any personal data is involved. Personal data can be traced back to a person. Think of name, address, place of residence, but also phone numbers and e-mail addresses.
2. Stop the data breach if it still exists. Think about remotely wiping a lost smartphone. Is fixing the data breach complicated? Then engage a cybersecurity or digital forensics expert.
3. Assess the risk of the data breach. The more sensitive the personal data, the higher the risk. Check the list of examples from the Personal Data Authority, AP (PDF, in Dutch).
4. Report the data breach to the AP within 72 hours. This applies to data breaches that result in risk to the rights and freedoms of victims. Don't report it? Then the AP may impose a fine on you.
5. Report the data leak to the victims whose data you leaked. This applies to data leaks that could have major consequences for you and the victims. Think of reputation damage, identity fraud, and discrimination.
6. In all cases, register the data breach in your mandatory data breach register (in Dutch).

Has your data been leaked?

Do you yourself receive notification of a data breach at another company, for example a supplier? If so, take the following steps:

1. Read the message from the company that reported the data leak carefully. What data exactly has been leaked? You will only receive such a message for high-risk leaks.
2. Immediately change your password if it is in the leaked data. Do the same for accounts where you use the same password. And use strong unique passwords.
3. Block credit cards that appear in the leaked data.
4. Be extra vigilant for attempted scams. Chances are that cybercriminals will use your leaked data for phishing and identity fraud.
5. Check regularly at haveibeenpwned.com or scatteredsecrets.com to see if you might be a victim of a lower-risk data leak.