Dutch IT companies rebel against security breach notification law
Nederland ICT, the Netherlands' trade association that represents Dutch IT companies with over 250,000 staff between them, is not amused by a Dutch government plan to force tech firms to report security breaches.
Overlap
This summer, Ivo Opstelten, the Dutch justice and security minister, issued a draft of the statutory reporting of security breaches bill. Nederland ICT dismissed the proposed legislation as redundant, since Dutch companies are already obliged to report breaches to a myriad of organisations — including the country's data protection and telecoms authorities, among others — leaving firms with a considerable administrative and legal burden.
Nederland ICT says that, if passed, the act would cause a significant amount of extra admin for Dutch companies: "A telecoms operator, for instance, that suffers an incident where systems are compromised, potentially affecting personal data and the continuity of services, is obliged to report it to no less than four different bodies," the association said.
The scope of the draft bill is limited to several industries considered vital to society and, according to the government, aims to clarify the notification procedures for companies suffering breaches, rather than bringing in another layer of government supervision on the subject.
Better safe than sorry
Although the draft bill is meant to stipulate that only severe incidents have to be reported, Nederland ICT expects that in reality, companies will start reporting all incidents if the act takes effect.
"There will be a significant change in that that every regulator will request additional information from companies. Companies, in turn, will not be willing to take any risks and will feel the need to report every single incident under the motto 'better safe than sorry'."
Moreover, according to Nederland ICT: "Europe is working on legislation with a similar scope. Therefore, the trade association is trying to convince the Dutch government to simply join the European initiative, and to refrain from instating a national reporting obligation."
The European Commission's proposed directive on network and information security, which includes a similar obligation to report security breaches, was announced earlier this year. In order to create a level playing field for companies throughout Europe, Nederland ICT has asked (PDF) the ministry of safety and justice to wait for this directive to come into force. However, has yet to receive an official response.