“The aim of the lab is to test new ideas in practice. We do that by bringing together scientists and business sector representatives,” explained Nieuwesteeg, who is also the director of the EUR Centre for Law and Economics of Cyber Security. He established the lab together with Petra Oldengarm from Cyberveilig NL and Rutger Leukfeldt (The Hague University of Applied Sciences).

In practice this means that Nieuwesteeg and his colleagues organise regular brainstorming sessions in the lab on specific themes. Although the lab was only officially launched this week, the first session has already taken place. “And that was an immediate success,” explained Nieuwesteeg proudly.

Data breach at the municipal health service

bernold nieuwesteeg
Bernold Nieuwesteeg Image credit: own archive

The first session covered the theme of cybersecurity companies and their duty of care. “It’s perhaps not the first thing you’d think of, but it is very important,” argued the researcher.  Take the GGD, for example. They had a huge data breach in January, in which almost all employees could access all data on people who had been tested for the coronavirus. There was even a ‘handy’ export function with which data from thousands of patients could be taken away with one click. Nieuwesteeg: “The media then mainly focused on the GGD’s responsibility. But it’s not correct that only the purchaser should be accused. Why not confront the software supplier when there’s a data breach? The GGD is good at vaccinating people and testing, not necessarily in cybersecurity. A software company, however, deals with that everyday. So who is better able to prevent such a breach?”

In contracts it’s often stated that the supplier is not responsible for data breaches and that it’s the purchaser’s responsibility. “I’d do that too if I were a supplier,” stated Nieuwesteeg. “But that’s not really in society’s interests.” The brainstorming session even provided a concrete solution.

Duty of care

“It’s perhaps a bit cumbersome, but we came up with the idea of the cybersecurity duty of care standard,” explained Nieuwesteeg. This means that the supplier and the user make standardised agreements about who is responsible for what. You can then deviate from these standards, but only with ‘good reasons’ and only if both parties agree. “So if the user is a well-known IT company, it’s probably logical that it will want to take its own responsibility for this. It can do that, but this always needs to be explained.” Insurers could demand such a standard clause in the future.

What is unique about the lab is that many cybersecurity companies helped us think about the solution. “There was a director of a hundred staff members in the room. These are serious players. That means it’s not just a scientist bleating on about a duty of care standard; big companies from the cybersecurity sector are immediately endorsing this.”