Netherlands Encryption: Dutch Government Proposes Stricter Data Breach Notification Law.

It looks like the Netherlands will get a greater impetus for the use of encryption software sooner than later.  According to many sources, the Netherlands’ parliament has in front of it a proposal for reporting data breaches to the Dutch Data Protection Authority (DPA or CBP, College Bescherming Persoonsgegevens).  Failure to comply with the proposed legislation could mean a monetary penalty of up to EUR 450,000.

DPA Overseeing Breaches

The newly suggested law, if it passes, would give oversight of data breach notifications to the DPA.  Currently the ACM (Authority for Consumers and Markets; the Netherlands’ consumer and competition regulator, akin to the US’s FTC) is in charge when it comes to breach notifications.

Furthermore, the new legislation proposes a change in who needs to report data breaches.  Under the new law all organizations, both public and private, will have to report a data breach to the overseeing authority.  Furthermore, according to twobirds.com, for breaches,

that may have a negative impact on the data-subjects’ privacy, [organizations] will have to [notify] these data subjects as well

The site further goes to note that,

This implies that the data subjects will not have to be notified if the controller has encrypted the data in an appropriate manner, i.e. in such way that non-authorised persons will not be able to access the data.

Note how it reads “encrypted the data in an appropriate manner.”  The implication here is that you can’t just use any encryption.  Failure to follow the law subjects organizations to a maximum penalty of 450,000 euros.

Examples of what types of data breaches might be subjected to the law are given, per the site twobirds.com, and the DPA promises to issue guidelines.

What Kind of Encryption?

So, if it cannot be just any kind of encryption, what kind of encryption would satisfy the condition of “encrypted in an appropriate manner”?  Obviously, it will depend on the situation.  If you are sending something over the wires (data in motion), the required encryption will be different from disk encryption for data-at-rest.

For the latter, at least, people should be looking for a minimum encryption strength of AES-128.  It is not only the official encryption algorithm for government secrets, it has been studied (and is being studied) by many for backdoors and weaknesses.  The conclusion is that the algorithm is extremely secure and will be for years to come.

In addition to the above, it might be useful to use encryption that has been FIPS 140-2 validated.  Although FIPS is an American standard meant for non-military federal government data, it must be recognized that sensitive personal data is the same regardless of which country one happens to be in.  As long as you’re looking to protect everyday yet sensitive data, one couldn’t do much better than FIPS

Related Articles and Sites:
http://www.twobirds.com/English/News/Articles/Pages/netherlands_legislative_proposal_general_breach_notification.Aspx
http://www.telecompaper.com/news/dutch-govt-proposes-data-breach-notification-requirements–952140



Comments (0)


Let us know what you think