Noort

‘Duplicate Claim Detector (DCD)’ launched by Innovation Platform Verbond van Verzekeraars

‘Duplicate Claim Detector (DCD)’ launched by Innovation Platform Verbond van Verzekeraars 722 550 Ekelmans Advocaten
Blog afbeelding (500 x 400 px) (6)
Leestijd: 2 minuten
Lesedauer: 2 Minuten
Reading time: 2 minutes
Expertise:

Astrid van Noort was present as a speaker at the launch of the ‘Duplicate Claim Detector (DCD)’ by the Innovation Platform of Verbond van Verzekeraars.

Ekelmans Advocaten advised Verbond van Verzekeraars in the development of this Duplicate Claim Detector on a secure and responsible method of data exchange between insurers within the framework of the AVG.

With the Duplicate Claim Detector, an important tool has been developed that helps insurers prevent the payment of duplicate claims and identify potential fraud. Thereby, insurer integrity and risk management are significantly promoted.

Confidential data in good hands

Your organisation processes personal data on a large scale. You need that personal data for your core processes but you also wish to comply with all the rules and protect privacy. These two goals are not always easy to reconcile. Our lawyers can help you here.

When developing new products or services, creative solutions may sometimes be required in order to remain compliant with privacy legislation. The Ekelmans Advocaten Privacy Desk helps you use personal data optimally for commercial purposes while still guaranteeing the privacy of your customers.

Auteur

Astrid van Noort is partner Insurance & Liability and strategic AVG expert for major insurers. She devises practical, workable and commercially attractive solutions to complex problems. She also specialises in personal injury, income and sickness absence insurance and health insurance.

Beware of the Cyber Security Act!

Beware of the Cyber Security Act! 1920 1280 Ekelmans Advocaten
cybersecuritywet
Leestijd: 4 minuten
Lesedauer: 4 Minuten
Reading time: 4 minutes
Expertise:

The Network and Information Systems Security Act (Wbni) is applicable in the Netherlands. The act is also known as the Cyber Security Act. The directive applies to operators of essential services and providers of digital services. This directive may also apply to your organisation.

Since 9 November 2018, the Network and Information Systems Security Act (in dutch: “Wet beveiliging network – en informatiesystemen”) has been applicable in the Netherlands, also known as the Cyber Security Act. This Act is the Dutch translation of the European Cyber Security Directive (EU Network and Information Security Directive 2016/1148). Each Member State is mandatory to have its own translation of the directive. The directive applies to operators of essential services and providers of digital services. This directive may also apply to your organization. In this article the operators of essential services and digital service providers are explained first and then the duty of care arising from the European Cyber Security Directive will be discussed.

When are you a operator of essential services or a provider of digital services?

Essential service operators include organizations in the energy, financial and transport sectors. The digital service providers includes for example cloud services, search engines and online market places, also known as “DSPs”. However, not every party that offers a digital service is automatically covered by the European Cyber Security Directive. For example, social media and web shops also offer digital services, but do not necessarily have to comply with the European Cyber Security Directive. Required is that the organization must have a head office or representation in the Netherlands. In addition, more than 50 employees must be employed within the organization or there must be a balance sheet total or an annual turnover of more than 10 million euros. Small and micro-enterprises therefore do not fall under the scope of the European Cyber Security Directive.

The failure or disruption of operators of essential services or digital service providers can lead to major social disruption. The European Cyber Security Directive therefore includes a duty of care for security measures.

The duty of care

The duty of care means that operators of essential services and the digital service providers must take appropriate organizational and technical measures to manage security risks and to reduce the consequences of incidents. In the GDPR (art. 24) we also have such an arrangement for the processing of personal data. However, the European Cyber Security Directive specifically focuses on digital security and includes the operators of essential services and the digital service providers in the broad sense.

The European Cyber Security Directive works out five aspects that operators of essential services and the digital service providers must take into account. This elaboration is based on art. 2 Implementing Regulation (EU) 2019/151 and consists – in brief – of taking the following measures:

First of all, the network and information systems must be adequately secured. In addition, organizations must be able to demonstrate that they take measures in the event of incidents. This could include processes for reporting incidents and for identifying shortcomings and weaknesses in the system. Provision must also be made for measures to properly maintain or restore business continuity and services after an incident. These measures include the establishment and use of contingency plans. It is also relevant that regular checks are made to ensure that the measures in question work properly and are therefore periodically tested. Finally, international standards must be taken into account in all of this.

All these measures aim to ensure that operators of essential services and the digital service providers comply with the principle of duty of care as set out in the European Cyber Security Directive: “taking appropriate measures to prevent incidents and, if incidents do occur, the consequences thereof so as much as possible “.

The duty of care in practice

The European Cyber Security Directive mainly indicates what needs to be done, but not how the implementation of this duty of care should subsequently be given shape.

Operators of essential services and the digital service providers must complete the implementation of the duty of care and the measures themselves, whereby each Member State needs to have a supervisory body (the Telecom Agency in the Netherlands) to supervise and take enforcement action if needed. However, because the duty of care and the measures are lacking, it is to be expected that organizations have many uncertainty about this. This could result in a failure to fulfill their duty of care.

Recommendation therefore deserves legal advice in applying the duty of care arising from the European Cyber Security Directive as correctly as possible in practice. It is important thereby that a balance is found in complying with the duty of care and respecting the commercial interests of companies and the privacy of natural persons. Creating a security protocol with a concrete step-by-step plan/checklist could be an example of this. However, due to the diversity of organizations that fall within the scope of the European Cyber Security Directive, this is a matter of customization.

What does this mean for the insurer?

The imposition of a specific duty of care on one hand, but the absence of specific standards on the other hand, makes the operators of essential services and the digital service providers vulnerable not only to the regulator but also to (possible) claims.

This increases the risk of an insurer that insures operators of essential services and the digital service providers. For insurance companies it is therefore advisable to take this into account in the underwriting processes regarding these operators and providers. For example this can be done by checking whether protocols and step-by-step plans to meet the duty of care are present within the organization. It is also advisable to oblige insured operators of essential services and digital service providers to inform the insurer of any changes to this duty of care within the organization.

Contact

We use cookies to make sure that our website functions smoothly. If you continue to use the website, we assume that you consent to the cookies.