On January 22, 2015, the Netherlands proposed legislation introducing breach notification requirements for critical infrastructure industries, including utilities (electricity, gas and drinking water), telecom, financial services, government (surface-water management bodies) and transport (main ports Rotterdam and Schiphol airport).
The proposed law would require notification in the event of a breach of security or loss of integrity of electronic information systems that are of vital importance to Dutch society (ICT Breaches). Stakeholders have been invited to comment on the Data Processing and Notification Obligation Cybersecurity Act (Wet gegevensverwerking en meldplicht cybersecurity) before March 6, 2015. The bill introduces an obligation to notify the Minister of Security and Justice in the event of an ICT Breach. Notifications would need to be submitted to the Dutch National Cyber Security Centre (National Cyber Security Centrum, the NCSC), a specialized department within the Ministry of Security and Justice.
At the end of 2011, echoing the DigiNotar security incident, a motion was submitted requesting the government to introduce a statutory duty for organizations to provide notice in the event of a security breaches. Subsequently, in 2013, the Minister of Security and Justice published and sought comments to the first legislative proposal that introduced a duty to notify of security breaches and losses of integrity of electronic information systems: the Electronic Information System Breach Notification Act (Wet melding inbreuken elektronische informatiesystemen). This current proposal revises this original legislative proposal and supplements it by includes including the rules regulating the processing of personal data by the NCSC. It must be emphasized that following the internet consultation the bill is also subject to the approval of the Parliament and Senate.
The goal of introducing an obligation to provide notice of ICT Breaches to the NCSC is twofold. First, notification provides the opportunity to timely assess the impact and the potential social disruption of a security breach or loss of integrity of electronic information systems that are vitally important to Dutch society. Second, notification enables the NCSC to provide assistance and advice to the affected organization, and to anticipate the wider possible effects of the breach (for example, by advising other providers of vital services and products that may be affected by a similar breach). In its role as an advisor the NCSC will be able to rely on a network of public and private computer crisis teams, so-called Computer Emergency Response Teams (CERTs). These CERTs have in-depth knowledge on best practices of dealing with ICT breaches.
Who will be subject to the notification obligation?
The obligation to notify the NCSC will apply to providers offering products or services the availability and reliability of which is of vital importance to Dutch society (Vital Providers). These Vital Providers will be designated by a governmental decree, and they will include, at a minimum, utilities (electricity, gas and drinking water), telecom, financial services, government (surface-water management bodies) and transport (main ports Rotterdam and Schiphol airport). However, this does not necessarily mean that all Vital Providers active in these sectors will be subject to the notification obligation. The law also would apply to designated Vital Providers located outside of the Netherlands that offer products or services that are vitally important to the Dutch society.
When should an incident notification be made?
The notification obligation only applies in case of an actual breach of the security or integrity of electronic information systems that are of vital importance to Dutch society. An example of an actual breach of security would be an unauthorized person (intentionally) gaining access to the computer system or network of a Vital Provider. If an unauthorized third party has been able to add, delete or modify information which plays an important role in a vital service or product, such action would qualify as a breach loss of integrity.
Furthermore, Vital Providers are not required to provide notice of every breach. Only those breaches that (could) result in a situation where the reliability or availability of the vital service or product will or may be seriously disrupted would trigger notification obligations. Disruptions that only (temporarily) affect the availability of a system without breaching the security or integrity of the electronic information system, for example disruptions following a DDoS attack, will not trigger notice obligations.
What information should an incident notice include?
A notification would, at a minimum, include the following details:
- the nature and extent of the security breach or loss of integrity of an electronic information system;
- if known, the time of commencement of the security breach or integrity loss;
- possible consequences of the breach or loss;
- expected remedy time;
- if possible, measures already taken or to be taken in order to limit the consequences of, or prevent a repetition of, the breach or loss; and
- contact details of the Netherlands based officer who is responsible for issuing the notification.
The explanatory notes to the bill emphasize that an initial notification may be limited, the reason for this being that it is better to supplement a notification at a later stage than to wait for the ICT Breach to cause (even more) social disruption. It is also noteworthy that the bill appears to require Vital Providers located outside of the Netherlands to have a Netherlands-based officer for issuing notifications.
Relation to the EU Directive on Network and Information Security
The proposed bill is a precursor to the Cybersecurity Directive, which the European Commission proposed in 2013.
This directive is a key component of the overall strategy to ensure a high common level of network and information security (NIS) across the EU. Among others, the Cyber Security Directive will require EU Member States to put in place a minimum level of national capabilities by establishing network and information security national competent authorities, by setting up well-functioning CERTs, and by adopting national NIS strategies and national NIS cooperation plans. Operators of critical infrastructure, key Internet providers and government organizations will be required to assess potential risks and to adopt appropriate measures to ensure a high level of network and information security.
Given that the final text of the Cybersecurity Directive is not yet available, the proposed Dutch bill may need to be supplemented or amended in certain aspects when the Cybersecurity Directive is finalized. At the same time, due to the rapidly increasing dependence on electronic information systems, by proposing the introduction of this bill, the Dutch government makes it clear that it does not wish to wait for European legislation to be adopted.
At this stage, the NCSC will not have an enforcement authority. The proposed notification requirements are deemed part of a current practice of voluntary exchange of information on issues of cyber security between the public and private sectors. But enforcement is likely to be introduced in connection with the Cybersecurity Directive. The Cybersecurity Directive provides that EU Member States must implement rules on sanctions in case of an infringement of the national provisions that are adopted pursuant to the directive. As a result, should the Cybersecurity Directive be adopted in its current form, the Dutch legislator would need to amend the proposed legislation with an enforcement function to comply with EU law.
Given the inevitability of cybersecurity legislation, in some form, companies that can be considered to be Vital Providers should revise their cybersecurity practices and seek to address the bill’s requirements in their policies and procedures.