IT Duties of Care - more topical than ever
IT Duties of Care - more topical than ever
On Thursday June 28th the CIO Platform Nederland and VNO-NCW organised a session about the IT Duties of Care for the second time. In this year 2018, we can say that the most pressing examples were related to the AVG implementation.
With the broad representation from both the constituencies we talked about the Guide of Duties of Care published by the Cyber Security Council (CSR) in April 2017. This involves duties on personal data, as a user of IT and as a provider of IT products and services.
Nicole Mallens from VNO-NCW welcomed the participants and emphasised that today's theme is more topical than ever and that it must have continuous attention in the current digital revolution. The continuity of the business comes will be under pressure if there is a lack of digital security!
Ensuring joint security of personal data
Pieter Wolters, university lecturer of civil law and researcher at the Research Centre Company & Law of the Radboud University Nijmegen, mainly focused on the legal basis of IT Duties of Care, including in the GDPR and in the Civil Code. As the author of the contribution IT Duties of Care, he gives examples about the processing of IT, using IT and products with an IT application, which our organizations have to deal with every day. Since 2018, he looks over the boundaries of his own security measures, to the chain. Not only is there a practical necessity to make agreements with suppliers and customers about (cyber) security, there is also a legal obligation to ensure the safety of personal data together.
We talk about the still limited case law and the articles 26 and 28 from the GDPR, about which he gives practical advice: "Make clear agreements on which you can fall back. Don’t wait for concrete interpretation of those obligations on the basis of law or jurisprudence, because before it is there, it will probably be outdated again. And the lack of that concrete interpretation does not absolve you from your responsibility to take appropriate action."
Data Pro Code
Sylvia Huydecoper, Senior jurist at Nederland ICT gives a practical interpretation of the academic consideration by her predecessor. Sylvia talks about various initiatives that Nederland ICT develops for a safer society and for the members of Nederland ICT. About 70% of their constituency (mbk) are primarily (co-)responsible processors of personal data for their customers. The practical assistance from the Nederland ICT has led to a neutral template for processing contracts. The main indication is that it does not have to be completed with a one-sided view to the benefit of the suppliers, but to make a joint document that reflects the common responsibility. A processing contract should also be seen as a supplement to the sales conditions that are already included in the main contract.
With their Data Pro Code, Nederland ICT ‘forces’ their members to become transparent and to think about the content and nature of the services, including security. And to explain this to the customers. So more to materialize and extract it from the vagueness of "appropriate technical and organizational measures"! The goal is that this code will lead to a certification, which also gives customers more certainty about the vendor's AVG compliance. This proposal now lies with the authority on personal data for review and is being tested in practice.
More attention for OT Security
The third contribution of the afternoon came from Johan De Wit, Solution Manager Enterprise Security at Siemens building Technologies and connected as an external PhD candidate at TU Delft. Johan started his presentation by alerting everyone to the shifting of the boundaries of computer criminals in 2018. The impact of it on the physical world is enlarging. Not only the disruption of administrative office systems or the obtaining of financial advantage by extortion is the goal, but also the deliberate destruction of systems. In addition, cyber security is an issue that is also relevant to OT outside IT. Unfortunately OT is a different world than IT. Where the IT world is aware that software is almost always leak, needs to be patched regularly and replaced after a few years, OT is normally used for years or even decades without modifications in a production environment.
Where IT security focuses primarily on integrity and confidentiality, OT Security focuses on availability. Johan emphasise for more attention to the security of OT. As a third pillar of security, besides OT and IT, he likes to add physical security. Access to systems should also be given more attention, especially in the case of OT. To connect OT to the internet and the increasing presence of IoT-devices within companies, makes the vulnerability of attacks by OT ever larger. By embedding these three aspects of security in processes, people and technology, you give the Duties of Care of your organisation in a proper manner and form and content in the year 2018!
More info about the Duties of Care:
‘Every company has digital duties of care’
‘Enriching insights for Cyber Security in the chain’