Legal status of GOVCERT.NL
The organisational embedding of a CERT has an influence on the applicable legal framework. GOVCERT.NL is a government CERT.
The Minister of Internal Affairs and Administrative Modernisation is the client for and also responsible for GOVCERT.NL. The Minister has concluded an agreement - the "GOVCERT.NL Programme Agreement" - for the implementation of GOVCERT.NL with the ICTU Foundation, home to GOVCERT.NL
1. The fact that the GOVCERT.NL programme is hosted by the ICTU Foundation means that GOVCERT.NL itself does not have a legal entity. The result of this is that for all legal negotiations that GOVCERT.NL wants to enter into, the ICTU Foundation is party to the agreement.
1: The ICTU is a cooperative association of government organisations under private law, whose aim is to support governments in the development, introduction and implementation of innovative applications in the field of ICT for these governments
The GOVCERT.NL Programme Agreement states that the Minister of Internal Affairs and Administrative Modernisation holds final responsibility for GOVCERT.NL. This Programme Agreement also lists the aims of GOVCERT.NL, what the products and services to be delivered are, what the tasks of the GOVCERT.NL programme manager are, how liability for the actions of GOVCERT is divided between the ICTU Foundation and the Minister of Internal Affairs and Administrative Modernisation, as well as how GOVCERT.NL is financed by the Minister of Internal Affairs and Administrative Modernisation.
Establishing responsibility, tasks and competences
The previous paragraph states that the aims of GOVCERT.NL are determined by the Ministry of Internal Affairs and Administrative Modernisation. These aims are also set down in the GOVCERT.NL Programme Agreement, as follows:
- To provide information on ICT related security incidents: ensuring that the correct information is available in the right place; GOVCERT.NL plays a pivotal role in the information exchange process;
- To coordinate ICT related security incidents: offering structures to achieve a common approach to bottlenecks and incidents within government;
- To support ICT related security incidents: providing support to the key people responsible within government organisations to strengthen their approach;
- To improve quality: giving a continuous quality impetus and structuring a continual improvement process in the government approach to ICT related security incidents.
It is the task of the GOVCERT.NL programme manager to interpret these aims with concrete services. In the interpretation of the services, it must be very clear what the responsibilities, tasks and competences of GOVCERT.NL are in relation to these services. Starting from these responsibilities, liability risks can be controlled (see also paragraph 7.2.2).
As well as marking out the responsibilities between GOVCERT.NL, ICTU and the Minister of Internal Affairs and Administrative Modernisation, it is at least equally important that GOVCERT.NL - with the focus on its services - clearly states what the responsibility of the constituency is. In continuation of this, it must also be clearly stated what the constituency can expect of GOVCERT.NL.
GOVCERT.NL has drawn up standard terms and conditions for this which must be expressly accepted by a participating organisation before GOVCERT.NL will provide its services (see also paragraph 7.2.4). The standard terms and conditions are applicable to the standard range of services available from GOVCERT.NL. If a participating organisation wishes to use a service which does not fall under the GOVCERT.NL standard services, a tailored agreement will be drawn up to complement the standard terms and conditions.
Drawing up the standard terms and conditions for the use of the services, their express acceptance by a user and drawing up a complementary agreement for tailored services are not explicit for a government CERT. It is recommended that each CERT clearly states the terms and conditions under which its services may be used.
Extent of liability
In the GOVCERT.NL programme agreement, the Minister of Internal Affairs and Administrative Modernisation and the ICTU have agreed on a limited (contractual) level of liability. This limited level of liability can be interpreted in this way because GOVCERT.NL and the party responsible for GOVCERT/NL have to be regarded as one legal entity (this being the State). Under public law, it is specifically customary for government organisations to accept a limited level of liability towards others. Since GOVCERT.NL also provides its services within the government, GOVCERT.NL can also accept a limited level of liability for its services in relation to the participating organisations. This limited level of liability must be explicitly specified between ICTU and the participating organisations in GOVCERT.NL. (see paragraphs 7.2.1 and 7.2.4).
In the event that GOVCERT.NL - in the future - no longer falls under the ICTU, thus is no longer part of the State, liability legislation under (general) private law applies. This private law liability legislation furthermore also applies for any CERT which is set up and which does not fall under the government regime. It is also the case that general liability law also has to be taken into account for the interpretation of liability for the alerting service from GOVCERT.NL. The services of the alerting service are always accessible to the public. With regard to the liabilities of the alerting service see paragraph 7.3.3.
Under private law liability legislation, a distinction is drawn between contractual and legal liability. Contractual liability can be covered by GOVCERT.NL itself by acting in accordance with what has been agreed with the participating organisations. So-called legal liability can, for example, be covered by ensuring that the portfolio of services from GOVCERT.NL is offered with an obligation to make the required effort. With an obligation to make an effort, there is only any question of liability in the event that GOVCERT.NL has provided insufficient effort to achieve the desired result. The burden of proof in this respect falls to the participating organisations. Alongside this, it is important for the control of legal liability that the service is provided within the framework of national laws and legislation. Necessary care should also be taken at all times when providing the services to ensure that any events which may result in a dispute are handled with standard levels of care. This careful action translates, for example, into the skill of the employees of GOVCERT.NL as well as the care the employees should take when performing their duties. For example, drawing up a security policy, and information exchange policy and a privacy policy make a significant contribution towards careful action by the organisation's employees (see also paragraph 7.2.4).
Drawing up a security policy, an information exchange policy and a privacy policy are not explicit for a government CERT. It is recommended that each CERT draws up clear procedures to control liability risks.
Applicable law and legislation
As already mentioned, the organisational embedding or legal status of a CERT has an effect on the applicable law and legislation. Acting within the framework of national laws and legislation in turn has an effect on the control of legal liability. Paragraph 7.2 states that GOVCERT.NL must be qualified as a government CERT. The fact that GOVCERT.NL is a government CERT means that alongside the general laws and legislation, specific public legislation also applies to GOVCERT.NL, such as the:
- General Act on Administrative Law;
- General Principles of Appropriate Government;
- Act to Promote Open Government;
- Archives Act;
- Government Information Security Regulation (VIR);
- Government Information Security Regulation - Specific Information (VIR-BI);
- Code of Practice for Information Security;
- Instructions regarding the provision of market activities by organisations within government.
Alongside the laws and legislation which are specifically applicable to government organisations, it is important that GOVCERT.NL sets up careful procedures for its primary process - the exchange of information - to cover its liability risks. The careful establishment of the information exchange process also applies for all CERTs.
With regard to the setting up of a careful process of information exchange, the following should be taken into account:
- The Personal Data Protection Act;
- The directive entitled 'Security of Personal Data' from the board for the protection of personal data;
- The Electronic Signature Act;
- Liability legislation from the Civil Code.
To determine whether a CERT is acting within the framework of national legislation, it is recommended that an analysis is carried out of the possible applicable laws and legislation, to identify the legal environment. If the legal position of a CERT changes, a further investigation should look at the extent to which this affects the applicable legal framework, as well as the range of services offered.