1. First things first: The Cyber Emergency Response Team (“CERT”)
The first step in dealing with a cybersecurity incident is to contact the Belgian Cyber Emergency Response Team. This team can take action swiftly when a cyberattack occurs. They will try to mitigate the harm and also try to quickly restore your ability to provide services. Contacting CERT is therefore the first thing to do.
CERT does not only help in responding to cybersecurity incidents (responsive services), but also assists in preventing them (proactive services). Their responsive services provide an answer if you are faced with a cyberthreat or cyberattack. As such, they assist in dealing with the incident and your vulnerability management. On the other hand, their proactive services optimize your infrastructure and security processes before an incident is detected or occurs. Detecting, identifying, and analyzing security problems are examples of their proactive services.
You can contact CERT by e-mail (email@example.com) during office hours (9:30 am to 4:30 pm). You can also report an incident by filling in this form. CERT will handle your incident expeditiously depending on the severity of the incident—which is assessed case by case. Some businesses and organizations that provide essential services and critical infrastructure can even reach the national CERT immediately by phone 24/7.
2. The police is your friend
Regardless of whether you decide to contact CERT or not, it is recommended that you report the incident to the police in your vicinity as soon as possible if your business or organization is affected by cybercrime. The police will launch an investigation and try to track down the hackers. In addition, you can give the “proces-verbaal” (official police report) number to your bank or insurance company, or both.
3. A data breach in the sense of the General Data Protection Regulation (GDPR)
Doing business while complying with the strict EU privacy and data protection regulatory framework takes effort. The General Data Protection Regulation (better known as the “GDPR”) imposes several obligations in the event of data breaches. In this section, we aim to guide your business or organization in complying with those obligations in the event that a data breach occurs.
- What is a data breach?
A (personal) data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
In short, there are 3 types of data breaches, namely incidents in which personal data have been breached intentionally or by accident in the following ways:
1) made public or made accessible (breach of confidentiality);
2) are not accessible or have been deleted (breach of availability);
3) have been changed (breach of integrity).
Data breaches are therefore not just incidents in which persons who act intentionally or in bad faith (e.g., hackers) try to take control over personal data or block access to them. Even minor breaches are qualified as (personal) data breaches in the sense of the GDPR. Moreover, it can involve physical, portable devices as well as files stored in a network.
In the following sections, we explain more about how to deal with a data breach.
- How should you deal with data breaches?
The importance of awareness: vigilance is required at all times to prevent data breaches. As a business or organization, you must store and protect personal data securely taking into account the sensitivity of the (personal) data and the nature of your business or organization. That may be done by taking appropriate technical and organizational measures. For example, firewalls, locked archives and servers with limited and authorized access, secure clouds, etc. Besides that obligation, it is important that employees at your company or organization follow and enforce pre-set guidelines. These include, for example, a password policy, locking offices and certain areas, an internet policy, etc.
Every company and organization must also keep a register in which every data breach is logged. That register must also contain all relevant additional details about the data breach. For example, a description of the breach and the time it occurred, how much and what types of personal data have been breached, what must be done with the personal data, what are the possible consequences, what mitigating and preventive measures were taken, whether the obligation to report it was fulfilled, and if not, the reason for not doing so, etc.
Your company or organization must also have a data breach reporting procedure in place. Moreover, we advise that you draw up and implement a ‘data breach policy’. This can serve as a roadmap should a data breach occur and can guide you whenever you need. It also enables you, as a company or organization, to assign specific tasks to staff members in the event of a data breach or cyberattack. Needless to say, your staff should be aware of such a data breach policy, and everyone should commit themselves to following this policy.
- How should you respond to a data breach?
1) Identifying a data breach: As explained above, a data breach occurs as soon as personal data are at risk of being disclosed in an unauthorized way, being lost, destroyed, or changed. To qualify as a data breach, it is not necessary that the personal data is actually used by a third party. The fact that there has been unauthorized access to personal data suffices. Therefore, there is a data breach if a computer containing personal data has been hacked – irrespective of whether those data have been copied or damaged. Furthermore, malicious intent is not a condition for there to be a data breach. Losing a USB stick or sending an email to a wrong email address by accident constitutes as a data breach as well.
2) Reporting an identified data breach: If there is a data breach that puts the rights and freedoms of the data subjects at risk, you, as the company or organization involved, must report the data breach within 72 hours to the Data Protection Authority and possibly even to the data subjects. Assessing the risk of a data breach is therefore also an important exercise for your company or organization, for which the necessary expertise is required. We can certainly assist you with that assessment.
4. The commercial relationship between parties
Your business or organization could also have contractual obligations towards your contractual counterparty in the event of cybercrime. For example, confidentiality obligations may have been breached. The contents of your contracts must therefore be analyzed thoroughly. In the context of a cyberattack or data breach, it is important to examine the confidentiality clauses, liability clauses, etc. In a data breach, confidential information can get lost and/or become disclosed. You should also examine whether you have concluded an existing data processing agreement and what your company’s or organization’s obligations are in the event of cybercrime.
Furthermore, parties usually include a clause that permits one of the parties to terminate their collaboration immediately if a data breach occurs (whether or not to a certain degree of severity). In addition, the party that terminates the contract usually reserves the right to seek damages and compensation for costs of repair and maintenance and other types of costs.
5. Technical measures to ensure continuity
Businesses and organizations are often crippled because their data have been encrypted by hackers or other technologies. That can sometimes lead to a long-lasting halt to production or the business activities in general. Every business and organization should therefore conduct risk assessments to understand what consequences a cybertheft or ransomware, for example, could entail.
You can then try to protect yourself from prolonged halt of activities by having a resilient and secure back-up system that enables you to retrieve all data and software configuration in the shortest time possible. That is costly, of course, but you can consider it as an insurance policy.
As a company or organization—regardless of your size or industry—you must equip yourself with the tools to secure your business or organization from cyberattacks and data breaches. Cybercrime comes in all forms and scenarios. Vigilance and taking preventive, qualitative and appropriate technical and organization measures are therefore highly recommended. The points of attention described above should certainly be considered if your company or organization is a victim of cybercrime.
If you have questions about data breaches, cybercrime, or other questions concerning privacy and data protection, reach out to the Monard Law privacy and data protection team. We remain available to assist you.