The Dutch DPA has emphasised the importance of communication after a data breach, after a 2023 study revealed that many organisations failed to inform victims in a timely manner.
In an age where personal data is often at risk due to cyberattacks and other breaches, individuals affected by data breaches can often feel left in the dark. Organisations frequently fail to provide adequate information, leaving victims unaware of how their data has been compromised and what steps they can take to protect themselves, according to this report from the Dutch Data Protection Authority (AP). A recent study by AP has highlighted these shortcomings, stressing the need for improved communication and action by organisations when such incidents occur. In the Netherlands, organizations are legally required to promptly inform individuals when a severe data breach occurs. This includes situations such as cyberattacks compromising customer databases or the unintended exposure of patient information from hospitals.
Data breaches leave victims exposed to further attacks without proper communication from organizations.
When a data breach occurs, victims expect to be informed promptly and clearly. Unfortunately, this is not always the case. As highlighted by the AP, many organisations provide insufficient information to those affected, failing to fully explain what has happened and what the potential consequences might be. This lack of clarity can leave victims vulnerable to further attacks, such as online fraud or identity theft, as they are unaware of how to safeguard themselves.
Aleid Wolfsen, the chairman of the AP, emphasises the significance of swift and informative communication. “A quick, informative warning message helps you arm yourself,” Wolfsen notes. He stresses that victims need to know what data has been stolen, when the breach occurred, and what steps they can take to mitigate the risk. With cybercriminals becoming increasingly sophisticated and aggressive, organisations must take greater responsibility in helping individuals protect their personal information.
The AP conducted a study on major data breaches in 2023 which revealed delayed victim notification in data breaches, emphasising the need for better communication from organisations.
To highlight the urgency of this issue, the AP conducted an in-depth study of more than 50 of the largest data breaches that occurred in 2023. These incidents affected around 10 million people, most of whom were victims of cyberattacks. The study examined not only the nature of these breaches but also the responses from the organisations involved.
The results were alarming. On average, organisations took more than three weeks to inform victims of a data breach, far too long in an age where stolen data can be quickly exploited by criminals. Furthermore, almost half of the warning messages were vague or unclear about what had happened, and more than half were written in overly technical or inaccessible language. Some emails lacked urgency or alarming titles, meaning recipients might overlook them entirely.
While data breaches cause delays due to warnings, approvals, and investigations, AP recommends prioritising speed and transparency by informing victims quickly, and providing updates later with follow-up messages.
Through an anonymous survey, organisations cited several reasons for these delays and poor communication. Many admitted that drafting clear, jargon-free warning messages was challenging. Approval processes involving multiple departments also contributed to delays, as messages had to pass through several layers of bureaucracy before being sent. Additionally, some organisations preferred to wait until investigations into the breach were complete before issuing a statement, fearing that releasing incomplete information too quickly could lead to confusion.
While these concerns are understandable, the AP advises that organisations should prioritise speed and transparency. Even if not all the details are available, victims should be informed of the breach as soon as possible so they can take proactive steps to protect themselves. Organisations can always follow up with additional messages as more information becomes available.
The AP provided recommendations and for notification messages in an effort to assist organisations.
To assist organisations in crafting more effective warning messages, the AP has provided detailed recommendations and even sample texts. These guidelines emphasise the importance of clear, concise communication and ensure that victims are fully informed of the risks they face. The AP’s eight key recommendations for writing good warning messages are as follows:
1. Communicate with victims as soon as possible: Speed is critical. Victims should be notified without unnecessary delay so they can take immediate action to protect themselves.
2. Write a simple and clear text: Avoid jargon and complex language. Use short sentences, subheadings, and lists to make the information easy to digest. The message should be immediately clear to anyone who reads it.
3. Describe clearly and completely what happened: Provide a clear explanation of the breach. If certain details are still unclear, let victims know when more information will be available.
4. Clearly indicate which data has been leaked: Be specific about the type of data that was compromised. Avoid vague terms like “for example” or “such as,” which can confuse recipients.
5. State the likely consequences for victims: Explain the potential risks, such as phishing or identity theft. Victims should know what dangers they face and how their personal information might be exploited.
6. Provide specific advice to victims where possible: Offer clear, actionable advice on what victims can do to protect themselves. For instance, if passwords have been leaked, instruct victims to change their passwords on all relevant platforms.
7. Describe what measures your organisation is taking: Let victims know what steps your organisation is taking to address the breach and prevent future incidents. This helps build trust and reassures victims that the situation is being handled.
8. Name a point of contact where victims can go with questions: Victims may have additional questions or concerns. Provide a contact person or department where they can seek further information.
By implementing AP’s recommendations when faced with a data breach, companies can fulfil legal obligations and demonstrate commitment to protecting customer privacy and security.
Following these recommendations ensures that victims are well-informed and can take immediate action to protect themselves from further harm. While data breaches are inevitable, poor communication from organisations doesn’t have to be. By implementing the AP’s recommendations, companies can not only fulfil their legal obligations but also demonstrate their commitment to protecting the privacy and security of their customers. Data breaches can cause significant harm, both financially and emotionally, to those affected. The onus is on organisations to mitigate that harm by communicating swiftly and clearly with their customers. Timely and effective communication can make all the difference in protecting individuals from the worst consequences of a breach.
