A recent press release from the Dutch DPA (Autoriteit Persoonsgegevens) emphasizes that Dutch organizations need to do better in providing breach victims with timely information that they need to protect themselves. If the Dutch DPA thinks warnings or alerts sent to victims more than three weeks after a breach is “way too slow,” The Data Breach Times wonders what they would say about the situation in the U.S. The DPA’s September 5 press release follows:
People who have become the victim of a data breach often receive insufficient information from the organisation that had the data breach. As a result, victims are insufficiently aware of the risk of abuse of their personal data. And they do not know exactly what they can do themselves to reduce the risks of online swindling, for example. This is the warning given by the Dutch Data Protection Authority (Dutch DPA) on the basis of an investigation into the largest data breaches of 2023. To help organisations get started, the Dutch DPA provides example texts.
In the Netherlands, organisations are obliged to warn people as soon as a serious data breach has occurred, such as after a cyber attack on a database filled with customer data or in the unhoped-for event that patient data from a hospital become public knowledge.
‘A swift, informative warning message helps you arm yourself’, Dutch DPA chairman Aleid Wolfsen explains. ‘Which data of yours have been stolen? When? What can you do about it, if anything? Data criminals are getting ever more daring in their swindling and extortion of people. This makes warning messages after data breaches increasingly important.’
Results of the Dutch DPA’s investigation
For its investigation, the Dutch DPA listed more than 50 of the largest data breaches of 2023. Data of around 10 million people were affected by these breaches, which were mainly caused by cyber attacks.
Next, the Dutch DPA took a closer look at the warning messages that the organisations involved sent to the victims. The most important conclusions are:
- Organisations are often way too slow at sending warning messages. On average, they only send them more than three weeks after they discovered a data breach – while speed is of the essence.
- Nearly half of the messages do not say clearly what has happened and which data have been leaked. The language used in more than half of all messages was not clear enough.
- In addition, warning emails sometimes lack an alarming title or introduction, which results in the risk that the recipient does not even read the message at all.
What organisations say about this themselves
Organisations said, through a supplementary (anonymised) survey, that:
- They often have difficulty avoiding jargon in their warning messages.
- Delays in sending warning messages are caused by, among other things, lengthy procedures with many different colleagues who all have to approve the message.
- They sometimes want to await an investigation into the data breach before informing people, in an effort to prevent them from being informed quickly but incompletely. The Dutch DPA advises to send a quick message with the information that is available, since the organisation can always send an additional message at a later time.
Dutch DPA provides example texts
To help organisations get started, the Dutch DPA provides concrete points for attention and example texts for warning messages. Organisations still remain responsible for their own warning messages.
The Data Breach Times notes that in the U.S., there is little legal requirement for the kind of quick notification to breach victims that the Dutch DPA stresses, and even less enforcement for those entities that do not comply where there are deadlines set by statute or regulations.