closeup of an golden electronic circuit board

The Cybersecurity & Privacy Team of CMS Netherlands has a long standing practical experience of advising Dutch and international clients on cybersecurity and data protection matters across a wide range of industries. Our approach combines thorough legal specialisation with expertise in sector and application-specific requirements and concepts that has been gained through our work.

Cybersecurity

Hand-in hand with fast-paced technological change and market disruption come concerns about cyber incident matters, such as business e-mail compromise, CEO fraud and ransomware attacks. We help organizations to determine effective legal strategies in cyber risk management. We believe cyber risk to be a holistic issue, which cannot be resolved by merely looking through the eyes of a lawyer. Our specialists are used to closely cooperate in multidisciplinary teams at any level within your organization, including IT, HR, legal & compliance, PR and the board. Our daily operations also include close collaborations with external IT (forensic) specialists and crisis communications experts.

Our expertise includes:

  • Providing 24/7 cyber incident legal response services
  • Drafting and negotiating information security agreements
  • Cyber loss related litigation
  • Representing clients in breach notification procedures and investigations
  • Multistakeholder incident management (board, legal & compliance, public relations.

Data Protection & Privacy

We provide support and advice on structuring business models in compliance with data protection regulations (privacy by design), enabling such models to be implemented in an environment where privacy and personal rights are becoming increasingly sensitive issues. Close international co-operation within the CMS Data Protection Group enables us to deal with issues at any European level.

Our expertise includes:

  • Data protection-compliant structuring of business models and all internal/external processes which involve personal data of customers, employees or third parties.
  • Advising on the exchange or export of personal data.
  • Data protection issues in bringing IT or business processes to the cloud or in providing cloud services for customers.
  • Drafting processor agreements and BCR
  • Designing privacy policies and data protection strategies at group, corporate, departmental or process level, including works council and collective employment law aspects.
  • Advice on (technical) aspects of system data protection and on related legal issues in connection with the acquisition, creation, use and analysis of information / big data.
  • Dealing with and representation before Data Protection Authority and other public bodies.

We have gained experience in coaching the legal side of data protection projects and issues for clients in many different industries, such as the financial services, health care & life sciences, IT and telecoms, consumer goods, real estate (investment management) and hotels & leisure industries.

09/09/2021
The Chan­ging Face of Cy­ber Claims
A cy­ber in­sur­ance loss study in Con­tin­ent­al Europe
GDPR
In­sight
Data Law Nav­ig­at­or
Use the Data Law Nav­ig­at­or for a quick look at data pro­tec­tion laws in...

Feed

09/09/2021
The Chan­ging Face of Cy­ber Claims
A cy­ber in­sur­ance loss study in Con­tin­ent­al Europe
16/06/2021
CMS European Class Ac­tions Re­port 2021
First re­port on the true pic­ture of European class ac­tion risk, a key con­cern for ma­jor cor­por­ates 
09/06/2021
Open secrets? Guard­ing value in the in­tan­gible eco­nomy
Some leaks can’t be fixed “Con­fid­en­tial in­form­a­tion is like an ice cube... give it to the party who has no re­fri­ger­at­or or will not agree to keep it in one, and by the time of the tri­al you have just a pool of wa­ter.” This, from the so-called Spycatch­er case (1987), ap­plies well to cor­por­ate as­sets: fail to store them cor­rectly and all you might have left is an ex­pens­ive mess.The con­sequences of even a minor ex­pos­ure of a trade secret can be huge. As this re­port re­veals, the pro­tec­tion of trade secrets is rightly re­cog­nised by most seni­or ex­ec­ut­ives as a pri­or­ity is­sue. But the re­search also re­veals gaps that leave com­pan­ies un­ne­ces­sar­ily ex­posed to risks. The top named threats – cy­ber­se­cur­ity at­tacks and em­ploy­ee leaks – res­on­ate with what we see im­pact­ing our cli­ents. In­creased home and re­mote work­ing is strain­ing se­cur­ity meas­ures and em­ploy­ee loy­alty. Ad­ded to this, an ‘in­nov­ate or die’ at­ti­tude in highly-com­pet­it­ive sec­tors can mo­tiv­ate new join­ers to ar­rive with ques­tion­able ma­ter­i­al from their pre­vi­ous em­ploy­er, or worse: out­right theft between com­pet­it­ors. But while it is easy to fo­cus on the lurk­ing threats from weakened cy­ber se­cur­ity and dis­gruntled em­ploy­ees – and they are im­port­ant – there are more routine ac­tions a com­pany can take to safe­guard its secrets than just up­dat­ing its IT sys­tems or the em­ploy­ee hand­book. Com­monly, those who most need our help already have a trade secrets policy but have not prop­erly im­ple­men­ted it in re­la­tion to the secret in ques­tion. Or the policy has not been up­dated to re­flect the in­tan­gible as­sets the busi­ness now owns. Or pro­tec­tion was taken for gran­ted.With trade secrets – which for many busi­nesses are stra­tegic­ally more im­port­ant than a pub­lic pat­ent port­fo­lio – it is al­ways cost­li­er and messi­er to find solu­tions after a theft or a leak. Identi­fy­ing the trade secrets and the threats posed to them, com­bined with rig­or­ous in­tern­al pro­cesses and well-draf­ted con­tracts, can help pre­vent such prob­lems from hap­pen­ing. Harder, but just as ne­ces­sary, is en­ga­ging hearts and minds in cor­por­ate cul­ture, to know why trade secrets are im­port­ant, why we are all are re­spons­ible for pro­tect­ing them, and what may hap­pen if we do not (to both the com­pany and the in­di­vidu­al). In our ex­per­i­ence, the busi­nesses with the strongest de­fences have not only thought stra­tegic­ally about their in­tan­gible as­sets and how best to pro­tect them but are also pre­pared for the worst. The trick to avoid­ing an as­set be­com­ing a crisis is to be wise be­fore the event.Tom Scourfield, Co-Head, In­tel­lec­tu­al Prop­erty Group, CMS
27/05/2021
GDPR En­force­ment Track­er Re­port
When the GDPR was already in force, but not yet ap­plic­able (and not a single fine had been im­posed yet), much at­ten­tion was paid to the for­mid­able fine frame­work. For many com­pany of­ficers, this caused fear: if I vi­ol­ate the GDPR, I have one foot in jail (or at least my or­gan­isa­tion has to pay EUR 20 mil­lion or 4% of its glob­al an­nu­al turnover, cal­cu­lated for the whole group, if the com­pany is part of one).We be­lieve that facts are bet­ter than fear.The con­tinu­ously up­dated list of pub­licly known GDPR fines in the GDPR En­force­ment Track­er is our 24/7 rem­edy against fear, while the an­nu­al En­force­ment Track­er Re­port is our deep dive and per­mits more in­sights in­to the world of GDPR fines. We are pleased that our ana­lys­is for this second edi­tion of the ET Re­port is based on a lar­ger over­all data set of more than 570 fine cases, 526 of which made it in­to the ed­it­or­i­al team's work­sheet.More in­ter­na­tion­al­We are even more pleased that more in­ter­na­tion­al col­leagues sup­por­ted us this time and provided de­tailed in­put on en­force­ment prac­tice, in par­tic­u­lar for EU mem­ber states in the new mem­ber state in­ter­views (Ed­it­or­'s note: the United King­dom re­mains part of the En­force­ment Track­er Re­port and the En­force­ment Track­er as the UK Gen­er­al Data Pro­tec­tion Reg­u­la­tion en­sures reg­u­lat­ory con­sist­ency re­gard­less of Brexit).Loc­al law and prac­tice mat­ter­After al­most three years of GDPR ap­plic­a­tion, we are not the only ones to have learned one thing: des­pite the GDPR's full har­mon­isa­tion ap­proach, hardly any oth­er area is shaped more by na­tion­al laws and of­fi­cial prac­tice than GDPR fines. This may be a reas­on why Spain still tops the list of coun­tries with the most fines this year.Ex­ec­ut­ive Sum­mary­As we are aware that pri­vacy pro­fes­sion­als are un­likely to have a peace­ful job in these chal­len­ging times, the second edi­tion kicks off with an ex­ec­ut­ive sum­mary for the quick read­er (in­clud­ing over­all takeaways, in ad­di­tion to sec­tor-spe­cif­ic ob­ser­va­tions). Hav­ing in­ten­tion­ally op­ted for an on­line-only pub­lic­a­tion, the ET Re­port's Ex­ec­Sum is the only part that you can con­veni­ently down­load (or even print out for bed­time read­ing without a di­git­al device).Num­bers & fig­ures and sec­tor ap­proach­We have put to­geth­er an over­all sum­mary of the ex­ist­ing fines in the "Num­bers and Fig­ures" sec­tion, fol­lowed by tried-and-tested ana­lys­is for the fol­low­ing busi­ness sec­tors:Fin­ance, in­sur­ance and con­sultingAc­com­mod­a­tion and hos­pit­al­ity­Health careIn­dustry and com­mer­ceR­eal es­tate­Media, tele­coms and broad­cast­ing­Pub­lic sec­tor and edu­ca­tion­Trans­port­a­tion and en­ergy­In­di­vidu­als and private as­so­ci­ations plus the over­arch­ing cat­egoryEm­ploy­mentY­our takeawaysThis in-depth ana­lys­is per­mits first con­clu­sions to be drawn as to which busi­ness sec­tors at­trac­ted par­tic­u­larly hefty fines. We also ana­lysed the DPAs' reas­on­ings for the fines. These as­pects to­geth­er al­low us to provide you with key takeaways for each busi­ness sec­tor. Apart from the law­ful­ness of each data pro­cessing op­er­a­tion, bol­ster­ing data se­cur­ity should re­main in the spot­light for every or­gan­isa­tion. There are already rel­ev­ant in­dic­a­tions in terms of data pro­tec­tion lit­ig­a­tion – in par­tic­u­lar, data sub­ject­s' claims for ma­ter­i­al or im­ma­ter­i­al dam­ages un­der Art. 82 of the GDPR are on the rise. This trend is un­likely to stop, be­ing in par­tic­u­lar sup­por­ted by col­lect­ive re­dress mech­an­isms and leg­al tech of­fer­ings that are already in­creas­ing the risks of and re­sources needed for data pro­tec­tion claims man­age­ment.Meth­od­o­logy­We do not re­sort to witch­craft nor do we have pref­er­en­tial ac­cess to GDPR fine in­form­a­tion (at least in most cases, but we are still work­ing on that…) when work­ing in the En­force­ment Track­er en­gine room and pre­par­ing the En­force­ment Track­er Re­port. In ad­di­tion to our ne­ces­sary fo­cus on pub­licly avail­able fines, there are some oth­er in­her­ent lim­its to the data be­hind this whole ex­er­cise. For the "small print", please see our more de­tailed re­marks on meth­od­o­logy. On a more gen­er­al level, al­though we have done our best to break down a com­plex top­ic in­to neat pieces, we have res­isted the tempta­tion to fol­low SEO re­com­mend­a­tions for the whole con­tent pack­age and would ask you to con­sider it a "long read" format if you de­cide to read it in full.What's next?The En­force­ment Track­er Re­port and the En­force­ment Track­er are a work in pro­gress. We highly ap­pre­ci­ate any form of feed­back (prefer­ably con­struct­ive…) and would like to thank every­body who has reached out over the last year. We re­ceived in­ter­est­ing ideas, in­form­a­tion about for­got­ten fines (hid­den deeply in re­mote corners of a sup­posedly com­pletely cap­tured world) and re­com­mend­a­tions for ad­di­tion­al fea­tures (our buck­et list is grow­ing stead­ily), as well as rel­ev­ant con­tri­bu­tions from stake­hold­ers out­side the EU – demon­strat­ing that the data pro­tec­tion land­scape is evolving rap­idly on a glob­al scale and in­ter­faces between na­tion­al/re­gion­al con­cepts are de­vel­op­ing even in the ab­sence of a glob­al data pro­tec­tion law. We have en­gaged with peers from the leg­al pro­fes­sion, pri­vacy pro­fes­sion­als with a more ad­vanced tech back­ground as well as re­search­ers from vari­ous dis­cip­lines. We strongly en­cour­age you to con­tin­ue en­ga­ging with us. And we apo­lo­gise in ad­vance if our feed­back may take some time; the data pro­tec­tion world is not a quiet one right now.Stay safe – and keep on fight­ing, Chris­ti­an Runte, Mi­chael Kamps, ed­it­ors and the en­force­ment track­ing and re­port­ing team
22/10/2020
CMS launches data breach app
CMS launches its Breach As­sist­ant app, a tech­no­logy plat­form that gives busi­nesses af­fected by a po­ten­tial data breach or oth­er cy­ber in­cid­ent a head­start dur­ing the first crit­ic­al hours. CMS has de­veloped...
14/07/2020
The Chan­ging Face of Cy­ber Claims
At the in­vit­a­tion of glob­al ex­perts in in­sur­ance brok­ing and risk man­age­ment, Marsh, and IT con­sult­ants, Wave­stone, CMS has con­trib­uted to The Chan­ging Face of Cy­ber Claims study which looks at prac­tic­al...
11/05/2020
AI in Life Sci­ences
Ar­ti­fi­cial in­tel­li­gence is not new: the term it­self was coined over 60 years ago. However, the con­ver­gence of data volume, pro­cessing power and tech­nic­al cap­ab­il­ity has con­vinced many that the AI era...
04/05/2020
5 mis­con­cep­tions about the GDPR data breach no­ti­fic­a­tion
In 2019, the Dutch Data Pro­tec­tion Au­thor­ity (DDPA) re­ceived 26.956 data breach no­ti­fic­a­tions. The ma­jor­ity of these breaches were no­ti­fied by or­gan­isa­tions act­ive in health sec­tor (mostly hos­pit­als...
16/03/2020
Em­ploy­ment and com­mer­cial as­pects of Coronavir­us
The situ­ation re­gard­ing COV­ID-19 (Coronavir­us) is de­vel­op­ing world­wide. Com­pan­ies are now faced with unique chal­lenges and vari­ous con­cerns, in­clud­ing many leg­al ques­tions. What ob­lig­a­tions do em­ploy­ers...
05/03/2020
Coronavir­us: em­ploy­er meas­ures and policies
COV­ID-19, the dis­ease as­so­ci­ated with the coronavir­us that has dom­in­ated glob­al news in re­cent weeks, is be­ing battled on many fronts with spe­cif­ic meas­ures de­signed to re­duce its ef­fects. Al­though the...
05/02/2020
CMS Re­cep­tion in Da­v­os 2020: Laura Ru­das (Pa­lantir Tech­no­lo­gies)
CMS in con­junc­tion with Ger­many’s lead­ing weekly news­pa­per Die Zeit, hos­ted its an­nu­al re­cep­tion in Da­v­os on 22 Janu­ary. This year the top­ic was “Chal­lenges and Busi­ness Op­por­tun­it­ies in the World...
31/01/2020
CMS re­leases pod­cast series on chal­lenges and busi­ness op­por­tun­it­ies in...
Cli­mate change, di­git­al trans­form­a­tion and in­creas­ing auto­ma­tion have trans­formed the world of busi­ness. With even more sig­ni­fic­ant changes on the ho­ri­zon, busi­nesses will have to ad­opt new, in­nov­at­ive...