Reporting data leaks or other incidents
The local authority makes every effort to protect your personal data as well as possible. Despite that, things can sometimes go wrong.
Data breaches
In the event of a data breach, you may have received an e-mail containing personal data not intended for you. Please contact the City of Leeuwarden. We are investigating this problem and will rectify it. If necessary, we will report the data breach to the Personal Data Authority and/or the data subject(s) whose personal data has been leaked.
Security incident or security breach
A security incident or security breach means that something has gone wrong but no personal data is involved. For example, a system that no longer works properly. Or a person found in the secure area of the town hall when they should not be there. It is important that you inform the local authority of this as soon as possible. We can then take measures to mitigate the (possible) consequences or solve the problem.
Reporting a security incident or security breach
The City of Leeuwarden takes extensive measures to properly secure its computer systems. However, we cannot guarantee that our systems are free of all vulnerabilities. If you discover a vulnerability in any of our systems, we would like to hear from you. We can then take appropriate action quickly. Are you reporting a vulnerability? If so, you agree to the responsible disclosure agreements below:
We ask you to do the following:
- Send an email as soon as possible to wittehoed@leeuwarden.nl setting out your findings. You can do this securely via https://bestandverzenden.leeuwarden.nl to prevent the information from falling into the wrong hands.
- Please provide enough information about the issue for us to fix it as soon as possible. The IP address or URL of the affected system and a description of the vulnerability is usually sufficient. More complex vulnerabilities may require more information.
- We welcome tips to help us solve the problem. Please limit your comments to the facts that we can check and that relate to the vulnerability you have identified. And avoid a situation where your advice actually amounts to advertising specific (security) products.
- Leave your contact details so that we can get in touch with you to work together for a safe outcome. Leave at least one e-mail address or phone number.
The following actions are not permitted:
- Installing malware, neither on our systems nor those of others.
- The “bruteforcing” of access to systems.
- Using social engineering, except to the extent strictly necessary to demonstrate that employees with access to sensitive data in general are seriously failing in their duty to treat it with due care. That means, by perfectly legal means (i.e. not through blackmail or suchlike), it is generally too easy to persuade them to provide such data to unauthorised persons. You should exercise all care that can reasonably be expected of you not to harm the interests the employees concerned themselves. Your findings should be aimed solely at demonstrating apparent flaws in procedures and working practices within the local authority and not at harming the interests of individuals employed by the local authority.
- Disclosing or providing information about the security problem to third parties before it is resolved.
- Taking actions beyond what is strictly necessary to demonstrate and report the security problem. In particular, where it involves processing (including viewing or copying) confidential data to which you have gained access due to the vulnerability. Rather than copying an entire database, it is usually sufficient for you to provide, for instance, a directory listing. Changing or deleting data in the system is not permitted under any circumstances.
- Disclosing or providing to third parties data of a confidential nature, such as privacy-sensitive data.
- Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
- Misusing the vulnerability in any other way.
What to expect from the City of Leeuwarden:
- We will not file criminal charges against you, and nor will we bring a civil case against you if you meet all of the above conditions. If it is established that you have not complied with any of the conditions, we may still decide to take legal action against you.
- We treat a report confidentially and do not share your personal data with third parties without their consent, unless we are required to do so by law or court order.
- We always share the received report with the Municipal Information Security Service (IBD). This is how we ensure that local authorities share their experiences in this area. By mutual agreement, if you wish, we can mention your name as the person who identified the reported vulnerability. In all other cases, you will remain anonymous.
- We will send you an (automatic) acknowledgement of receipt within 1 working day.
- We respond to a report within 3 working days with an initial assessment of the report and possibly an expected date for resolution.
- We will resolve the security issue you have reported as soon as possible. We aim to keep you well informed of progress and never take longer than 90 days to solve the problem. However, we do often depend partly on suppliers in this respect.
- We can mutually agree on whether and on which over the problem will be published, after it is solved.
More information
Go to the page Privacyverklaring.
Data breaches
In the event of a data breach, you may have received an e-mail containing personal data not intended for you. Please contact the City of Leeuwarden. We are investigating this problem and will rectify it. If necessary, we will report the data breach to the Personal Data Authority and/or the data subject(s) whose personal data has been leaked.
Security incident or security breach
A security incident or security breach means that something has gone wrong but no personal data is involved. For example, a system that no longer works properly. Or a person found in the secure area of the town hall when they should not be there. It is important that you inform the local authority of this as soon as possible. We can then take measures to mitigate the (possible) consequences or solve the problem.
Reporting a security incident or security breach
The City of Leeuwarden takes extensive measures to properly secure its computer systems. However, we cannot guarantee that our systems are free of all vulnerabilities. If you discover a vulnerability in any of our systems, we would like to hear from you. We can then take appropriate action quickly. Are you reporting a vulnerability? If so, you agree to the responsible disclosure agreements below:
We ask you to do the following:
- Send an email as soon as possible to wittehoed@leeuwarden.nl setting out your findings. You can do this securely via https://bestandverzenden.leeuwarden.nl to prevent the information from falling into the wrong hands.
- Please provide enough information about the issue for us to fix it as soon as possible. The IP address or URL of the affected system and a description of the vulnerability is usually sufficient. More complex vulnerabilities may require more information.
- We welcome tips to help us solve the problem. Please limit your comments to the facts that we can check and that relate to the vulnerability you have identified. And avoid a situation where your advice actually amounts to advertising specific (security) products.
- Leave your contact details so that we can get in touch with you to work together for a safe outcome. Leave at least one e-mail address or phone number.
The following actions are not permitted:
- Installing malware, neither on our systems nor those of others.
- The “bruteforcing” of access to systems.
- Using social engineering, except to the extent strictly necessary to demonstrate that employees with access to sensitive data in general are seriously failing in their duty to treat it with due care. That means, by perfectly legal means (i.e. not through blackmail or suchlike), it is generally too easy to persuade them to provide such data to unauthorised persons. You should exercise all care that can reasonably be expected of you not to harm the interests the employees concerned themselves. Your findings should be aimed solely at demonstrating apparent flaws in procedures and working practices within the local authority and not at harming the interests of individuals employed by the local authority.
- Disclosing or providing information about the security problem to third parties before it is resolved.
- Taking actions beyond what is strictly necessary to demonstrate and report the security problem. In particular, where it involves processing (including viewing or copying) confidential data to which you have gained access due to the vulnerability. Rather than copying an entire database, it is usually sufficient for you to provide, for instance, a directory listing. Changing or deleting data in the system is not permitted under any circumstances.
- Disclosing or providing to third parties data of a confidential nature, such as privacy-sensitive data.
- Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
- Misusing the vulnerability in any other way.
What to expect from the City of Leeuwarden:
- We will not file criminal charges against you, and nor will we bring a civil case against you if you meet all of the above conditions. If it is established that you have not complied with any of the conditions, we may still decide to take legal action against you.
- We treat a report confidentially and do not share your personal data with third parties without their consent, unless we are required to do so by law or court order.
- We always share the received report with the Municipal Information Security Service (IBD). This is how we ensure that local authorities share their experiences in this area. By mutual agreement, if you wish, we can mention your name as the person who identified the reported vulnerability. In all other cases, you will remain anonymous.
- We will send you an (automatic) acknowledgement of receipt within 1 working day.
- We respond to a report within 3 working days with an initial assessment of the report and possibly an expected date for resolution.
- We will resolve the security issue you have reported as soon as possible. We aim to keep you well informed of progress and never take longer than 90 days to solve the problem. However, we do often depend partly on suppliers in this respect.
- We can mutually agree on whether and on which over the problem will be published, after it is solved.
More information
Go to the page Privacyverklaring.