Organisations provide insufficient information to victims of data breaches, Dutch DPA gives advice
People who have become the victim of a data breach often receive insufficient information from the organisation that had the data breach. As a result, victims are insufficiently aware of the risk of abuse of their personal data. And they do not know exactly what they can do themselves to reduce the risks of online swindling, for example. This is the warning given by the Dutch Data Protection Authority (Dutch DPA) on the basis of an investigation into the largest data breaches of 2023. To help organisations get started, the Dutch DPA provides example texts.
In the Netherlands, organisations are obliged to warn people as soon as a serious data breach has occurred, such as after a cyber attack on a database filled with customer data or in the unhoped-for event that patient data from a hospital become public knowledge.
‘A swift, informative warning message helps you arm yourself’, Dutch DPA chairman Aleid Wolfsen explains. ‘Which data of yours have been stolen? When? What can you do about it, if anything? Data criminals are getting ever more daring in their swindling and extortion of people. This makes warning messages after data breaches increasingly important.’
Results of the Dutch DPA's investigation
For its investigation, the Dutch DPA listed more than 50 of the largest data breaches of 2023. Data of around 10 million people were affected by these breaches, which were mainly caused by cyber attacks.
Next, the Dutch DPA took a closer look at the warning messages that the organisations involved sent to the victims. The most important conclusions are:
- Organisations are often way too slow at sending warning messages. On average, they only send them more than three weeks after they discovered a data breach – while speed is of the essence.
- Nearly half of the messages do not say clearly what has happened and which data have been leaked. The language used in more than half of all messages was not clear enough.
- In addition, warning emails sometimes lack an alarming title or introduction, which results in the risk that the recipient does not even read the message at all.
What organisations say about this themselves
Organisations said, through a supplementary (anonymised) survey, that:
- They often have difficulty avoiding jargon in their warning messages.
- Delays in sending warning messages are caused by, among other things, lengthy procedures with many different colleagues who all have to approve the message.
- They sometimes want to await an investigation into the data breach before informing people, in an effort to prevent them from being informed quickly but incompletely. The Dutch DPA advises to send a quick message with the information that is available, since the organisation can always send an additional message at a later time.
Dutch DPA provides example texts
To help organisations get started, the Dutch DPA provides concrete points for attention and example texts for warning messages. Organisations still remain responsible for their own warning messages.
