If a data leak is not handled in the right way, it can cause damage to the image of your organisation and heavy fines by authorities. Therefore it's important to correctly and timely report any leak to your partners, to individuals and to authorities.
What is a security incident and when should it be reported?
A data leak is a security incident where personal data, which the Processor (Hoteliers.com) manages for the Responsible (the hotel), are lost or were unauthorized persons had access. This includes data which can be connected to individuals, such as but not restricted to, names, addresses, telephone numbers, email addresses, login credentials, cookies, IP-addresses or identification data of computers of phones.
Below are a some examples of security incidents which should be reported to the authorities:
- The website with login credentials is hacked or accessible to others.
- Losing a laptop, smartphone or USB-stick with personal data.
- Salary specifications of employees which are sent to the wrong person by accident.
- Letters of emails which are sent to the wrong address.
- An attack of a hacker to the system.
- A burglary at work where possible unauthorized access to printed or digital personal data took place.
What to do in doubt?
If it's not certain from the above information, the following questions can be asked as an aid to determine if t's a security incident:
- Is it a technical or physical security incident?
- Is the problem regarding personal data? This can also be IP-addresses, telephone numbers or identifiable data, such as hardware.
- Is it regarding sensitive data such as race, health data, information about someone's financial situation, such as salary or data which can be used for identity theft, such as a social security number.
- Is it regarding a large amount of personal data which were leaked?
- Is it regarding data of special groups, such as children?
- Is the data managed by a supplier?
Where to report a security incident?
If a security incident is discovered, contact the Support Manager of Hoteliers.com right away via email and call us at +31 20 531 3333.
Include answers to the following questions in your email. These questions are similar to the information that has to be shared with the authorities.
Please answer the following questions in detail and written:
- Provide a summary of the security incident.
Also note the name of the system involved.
- Which type of personal data is breached?
Such as, but not limited to, name, address, email address, IP-number, passport picture and every other data that can be tracked to an individual.
- How many individuals are involved in the data breach?
Please provide a minimum and maximum amount of persons.
- Describe the group of individuals of whom the data is breached.
Note if it's regarding employee data or data of internet users. Special attention should be given to groups, such as children.
- Are the contact details of the individuals known?
It may be possible that these individuals should be notified. How can we reach them?
- What is the cause of the security incident?
Do you have an idea how this data leak could have happend?
- What are the result of the security incident?
Do you have an idea what the results are for the individuals?
- On which date or in which period did the security incident take place?
Please specify in detail.
In case of a data breach at the Processor, the Processor will inform the Responsible including the above information, adding which measures are taken to prevent this in the future.