Reporting data breaches or other incidents
We make every effort to protect your personal data as effectively as possible. Despite that, things can sometimes go wrong.
Data breaches
A data breach may involve, for example, an email containing personal data meant for someone else being sent to you, a file being lost or a letter being sent to the wrong address. When something like this happens, contact us without delay. We will investigate and resolve the problem.
If necessary, we will report the data breach to the Dutch Data Protection Authority and/or any data subjects whose personal data have been leaked.
Security incident or security breach
A security incident or security breach means that something has gone wrong, but no personal data are involved. For example, a person is found in the secure area of the Town Hall when they should not be there. Or a system that no longer works properly.
It is important to report such incidents to us as soon as possible. We can then take measures to mitigate the (possible) consequences or solve the problem.
Reporting a security incident or security breach
We take extensive measures to properly secure computer systems. However, we cannot guarantee that our systems are free of all vulnerabilities. If you discover a vulnerability in any of our systems, we would like to hear from you. Are you reporting a vulnerability? If so, you agree to the responsible disclosure agreements below:
We ask the following of you
- Send an email as soon as possible to wittehoed@leeuwarden.nl setting out your findings. You can do this securely via the Sending files link to prevent the information from falling into the wrong hands.
- Please provide enough information about the issue for us to fix it as soon as possible. The IP address or URL of the affected system and a description of the vulnerability is usually sufficient. More complex vulnerabilities may require more information.
- We welcome tips to help us solve the problem. Please limit your comments to the facts that we can check and that relate to the vulnerability you have identified. Do not advertise specific security or other products.
- Leave your contact details so that we can get in touch with you to work together for a safe outcome. Leave at least 1 email address or phone number.
The following actions are not permitted:
- Installing malware, neither on our systems nor those of others.
- The ‘bruteforcing’ of access to systems.
- Using social engineering, except to the extent strictly necessary to demonstrate that employees with access to sensitive data in general are (seriously) failing in their duty to treat these data with due care. That means, by perfectly legal means (i.e. not through blackmail or suchlike), it is generally too easy to persuade them to provide such data to unauthorised persons. You should exercise all care that can reasonably be expected of you not to harm the interests the employees concerned themselves. Your findings should be aimed solely at demonstrating apparent flaws in procedures and working practices within the local authority and not at harming the interests of individuals employed by the local authority.
- Disclosing or providing information about the security problem to third parties before it is resolved.
- Taking actions beyond what is strictly necessary to demonstrate and report the security problem. In particular, where it involves processing (including viewing or copying) confidential data to which you have gained access due to the vulnerability. Rather than copying an entire database, it is usually sufficient for you to provide, for instance, a directory listing. Changing or deleting data in the system is not permitted under any circumstances.
- Disclosing or providing to third parties data of a confidential nature, such as privacy-sensitive data.
- Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
- Misusing the vulnerability in any other way.
What should you expect from us?
- We will not file criminal charges against you, nor will we bring a civil case against you if you meet all of the above conditions. If it is established that you have not complied with 1 of the conditions, we may still decide to take legal action against you.
- We will treat all reports confidentially and will not share your personal data with third parties without your permission, unless we are obligated to do so pursuant to law or a court decision.
- We always share the received report with the Municipal Information Security Service (IBD). This is how we ensure that local authorities share their experiences in this area. By mutual agreement, if you wish, we can mention your name as the person who identified the reported vulnerability. In all other cases, you will remain anonymous.
- We will send you an (automatic) acknowledgement of receipt within 1 working day.
- We respond to a report within 3 working days with an initial assessment of the report and possibly an expected date for resolution.
- We will resolve the security issue you have reported as soon as possible. We aim to keep you well informed of progress and never take longer than 90 days to solve the problem. However, we do often depend partly on suppliers in this respect.
- We can mutually agree on whether and on which over the problem will be published, after it is solved.
More information
Go to the page Privacyverklaring.
Data breaches
A data breach may involve, for example, an email containing personal data meant for someone else being sent to you, a file being lost or a letter being sent to the wrong address. When something like this happens, contact us without delay. We will investigate and resolve the problem.
If necessary, we will report the data breach to the Dutch Data Protection Authority and/or any data subjects whose personal data have been leaked.
Security incident or security breach
A security incident or security breach means that something has gone wrong, but no personal data are involved. For example, a person is found in the secure area of the Town Hall when they should not be there. Or a system that no longer works properly.
It is important to report such incidents to us as soon as possible. We can then take measures to mitigate the (possible) consequences or solve the problem.
Reporting a security incident or security breach
We take extensive measures to properly secure computer systems. However, we cannot guarantee that our systems are free of all vulnerabilities. If you discover a vulnerability in any of our systems, we would like to hear from you. Are you reporting a vulnerability? If so, you agree to the responsible disclosure agreements below:
We ask the following of you
- Send an email as soon as possible to wittehoed@leeuwarden.nl setting out your findings. You can do this securely via the Sending files link to prevent the information from falling into the wrong hands.
- Please provide enough information about the issue for us to fix it as soon as possible. The IP address or URL of the affected system and a description of the vulnerability is usually sufficient. More complex vulnerabilities may require more information.
- We welcome tips to help us solve the problem. Please limit your comments to the facts that we can check and that relate to the vulnerability you have identified. Do not advertise specific security or other products.
- Leave your contact details so that we can get in touch with you to work together for a safe outcome. Leave at least 1 email address or phone number.
The following actions are not permitted:
- Installing malware, neither on our systems nor those of others.
- The ‘bruteforcing’ of access to systems.
- Using social engineering, except to the extent strictly necessary to demonstrate that employees with access to sensitive data in general are (seriously) failing in their duty to treat these data with due care. That means, by perfectly legal means (i.e. not through blackmail or suchlike), it is generally too easy to persuade them to provide such data to unauthorised persons. You should exercise all care that can reasonably be expected of you not to harm the interests the employees concerned themselves. Your findings should be aimed solely at demonstrating apparent flaws in procedures and working practices within the local authority and not at harming the interests of individuals employed by the local authority.
- Disclosing or providing information about the security problem to third parties before it is resolved.
- Taking actions beyond what is strictly necessary to demonstrate and report the security problem. In particular, where it involves processing (including viewing or copying) confidential data to which you have gained access due to the vulnerability. Rather than copying an entire database, it is usually sufficient for you to provide, for instance, a directory listing. Changing or deleting data in the system is not permitted under any circumstances.
- Disclosing or providing to third parties data of a confidential nature, such as privacy-sensitive data.
- Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
- Misusing the vulnerability in any other way.
What should you expect from us?
- We will not file criminal charges against you, nor will we bring a civil case against you if you meet all of the above conditions. If it is established that you have not complied with 1 of the conditions, we may still decide to take legal action against you.
- We will treat all reports confidentially and will not share your personal data with third parties without your permission, unless we are obligated to do so pursuant to law or a court decision.
- We always share the received report with the Municipal Information Security Service (IBD). This is how we ensure that local authorities share their experiences in this area. By mutual agreement, if you wish, we can mention your name as the person who identified the reported vulnerability. In all other cases, you will remain anonymous.
- We will send you an (automatic) acknowledgement of receipt within 1 working day.
- We respond to a report within 3 working days with an initial assessment of the report and possibly an expected date for resolution.
- We will resolve the security issue you have reported as soon as possible. We aim to keep you well informed of progress and never take longer than 90 days to solve the problem. However, we do often depend partly on suppliers in this respect.
- We can mutually agree on whether and on which over the problem will be published, after it is solved.
More information
Go to the page Privacyverklaring.