Dutch IT companies rebel against security breach notification law

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.zdnet.com/dutch-it-companies-rebel-against-security-breach-notification-law-7000021089/

Nederland ICT, the Netherlands' trade association that represents Dutch IT
companies with over 250,000 staff between them, is not amused by a Dutch
government plan to force tech firms to report security breaches.

Overlap

This summer, Ivo Opstelten, the Dutch justice and security minister, issued
a draft of the statutory reporting of security breaches bill. Nederland ICT
dismissed the proposed legislation as redundant, since Dutch companies are
already obliged to report breaches to a myriad of organisations — including
the country's data protection and telecoms authorities, among others —
leaving firms with a considerable administrative and legal burden.

Nederland ICT says that, if passed, the act would cause a significant
amount of extra admin for Dutch companies: "A telecoms operator, for
instance, that suffers an incident where systems are compromised,
potentially affecting personal data and the continuity of services, is
obliged to report it to no less than four different bodies," the
association said.

The scope of the draft bill is limited to several industries considered
vital to society and, according to the government, aims to clarify the
notification procedures for companies suffering breaches, rather than
bringing in another layer of government supervision on the subject.

Better safe than sorry

Although the draft bill is meant to stipulate that only severe incidents
have to be reported, Nederland ICT expects that in reality, companies will
start reporting all incidents if the act takes effect.

"There will be a significant change in that that every regulator will
request additional information from companies. Companies, in turn, will not
be willing to take any risks and will feel the need to report every single
incident under the motto 'better safe than sorry'."

Moreover, according to Nederland ICT: "Europe is working on legislation
with a similar scope. Therefore, the trade association is trying to
convince the Dutch government to simply join the European initiative, and
to refrain from instating a national reporting obligation."

The European Commission's proposed directive on network and information
security, which includes a similar obligation to report security breaches,
was announced earlier this year. In order to create a level playing field
for companies throughout Europe, Nederland ICT has asked the ministry of
safety and justice to wait for this directive to come into force. However,
has yet to receive an official response.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.