ACM imposes fine on Dutch telecom company KPN for insufficiently securing customer data
In December 2013, the Netherlands Authority for Consumers and Markets (ACM) imposed a fine on Dutch telecom company KPN for insufficiently securing its customer information systems. Telecom providers are statutorily required to protect properly the personal information and the privacy of its customers, so that third parties are unable to gain access to that information.
Following a successful attempt by a hacker to break into KPN’s network in January 2012, ACM (formerly OPTA in this case) launched an investigation into the way KPN secured its customers’ personal information. The investigation revealed that, prior to the hack, both the security of the personal information of KPN’s customers, as well as the way its security policy was implemented in the organization, were inadequate. ACM therefore imposed a fine of EUR 364,000 on KPN. After the hack had been discovered, KPN responded swiftly in order to get the security of its networks and systems in order.
ACM’s fining decision has only been published now because KPN opposed earlier publication thereof at the District Court of Rotterdam and at the Dutch Trade and Industry Appeals Tribunal (CBb). On June 1, 2015, the CBb handed down its ruling. As a result thereof, the fining decision and the decision on objection can now be published.
Anita Vegter, Member of the Board of ACM, adds: “Customers provide telecom providers with their personal information in order to be able to use their services. They do so in the belief that these companies treat their information with care, and keep it safe. If this is done inadequately, as was the case with KPN, it will hurt consumer confidence in the telecommunications market. That is an undesirable situation that we wish to tackle.”
On January 8, 2015, the District Court of Rotterdam ruled that ACM had correctly imposed a fine on KPN. KPN has filed an appeal with the CBb against this ruling.
Duty of care of telecom providers
All telecom providers have the statutory duty (‘duty of care’) to secure appropriately the personal information and privacy of their customers. The measures that the telecom providers must take should guarantee an appropriate level of security, taking into account current technological capabilities, the costs of the measures to be taken, and the risk of a security breach.