Legal status of the Alerting service
This paragraph describes which legal aspects are important to the setting up of the public function of GOVCERT.NL, the alerting service. In view of the fact that the information on ICT related security incidents which is received by GOVCERT.NL is converted for the alerting service into alerts to the public, careful use of the information is linked to the procedures that GOVCERT.NL uses for this purpose (see also paragraph 7.2.4).
This paragraph - in view of the services and target group of the alerting service - states which legal questions must specifically be answered and worked out for the public function of GOVCERT.NL.
Legal status of Waarschuwingsdienst.nl
Just as the organisational embedding of GOVCERT.NL within ICTU has an influence on the applicable legal framework, the organisational embedding of Waarschuwingsdienst.nl within ICTU has an influence on the legal framework applicable to the alerting service. The alerting service is organisationally embedded within GOVCERT.NL. However, the alerting service's client is not the Minister of Internal Affairs and Administrative Modernisation, but the Ministry of Economic Affairs. The Ministry of Economic Affairs has concluded a 'Waarschuwingsdienst.nl programme agreement” within this framework with the ICTU Foundation, home to GOVCERT.NL. Just like GOVCERT.NL, the alerting service therefore has no legal entity of its own and the ICTU Foundation is party to any agreements concluded on behalf of the alerting service.
The 'Waarschuwingsdienst.nl programme agreement” states that the Minister of Economic Affairs has final responsibility and sets the aims of the alerting service. The aim of the alerting service is to provide the public with alerts and advice in the field of computer security problems. To this end, the following services are offered to the public:
- Vulnerability advice, alerting the public to possible ICT related security incidents.
- Trend / advice: providing information on developments in the field of security problems;
- Background information: providing information on risks, incidents and protective measures;
- Reporting point for incidents: people in the target group can report security incidents to the alerting service.
Alongside the aims and services of the alerting service, this agreement also states what the tasks of the programme manager are, how liability for the alerting service's actions is divided between the ICTU Foundation and the Minister of Economic Affairs, as well as how the alerting service is financed by the Minister of Economic Affairs.
The fact that the alerting service is a service offered by GOVCERT.NL means that the alerting service is also classified as a government service, see also paragraph 7.2. This also applies to the alerting service in that alongside the general laws and legislation, specific public laws and legislation also apply to the services from the alerting service. In view of the fact that the alerting service is organisationally embedded within GOVCERT.NL, reference is made to paragraphs 7.2.3 and 7.2.4 for the applicability of public laws and legislation and the concrete products arising there from.
Establishing responsibility, tasks and competences
As already stated above, the 'Waarschuwingdienst.nl programme agreement” establishes that the Minister of Economic Affairs has final responsibility and sets the aims for the alerting service.
The alerting service has simply set itself the goal of being able to quickly inform its target group of all kinds of (possible) ICT security incidents. The information on these (possible) ICT security incidents must be clear and have a high reality content. The value attributed to the alerting service is particularly based on the fact that it can use the information available to GOVCERT.NL. The way that this information
can and / or may be exchanged between GOVCERT.NL and the alerting service must be clearly defined in the information exchange policy of GOVCERT.NL, see also paragraph 7.2.4.
General terms and conditions
Alongside the division of responsibilities between the alerting service, ICTU and the Minister of Economic Affairs in the 'Waarschuwingsdienst.nl programme agreement, it is at least equally important that the alerting service - with regard the services it provides - clearly states the responsibilities of the users of the alerting service. In continuation of this, what the public can expect of the alerting service should also be clearly stated.
To this end, the alerting service has drawn up general terms and conditions which must be expressly accepted by all users of services provided by the alerting service.
In view of the fact that the alerting service only provides electronic services, it is essential that the alerting service can prove at all times that the user has actually accepted the general terms and conditions in order to meet the requirement of the so-called legal obligation to provide the general terms and conditions prior to the provision of any service. This was explicitly taken into account in the technical design of the website for Waarschuwingsdienst.nl. The user of a service from the alerting service accepts the general terms and conditions by clicking on the 'I accept” button. After an integral presentation of the general terms and conditions and clicking on 'I accept”, the user then gains access to the services from the alerting service. This way of accepting the general terms and conditions and granting access to the services from the alerting service is a result of the electronic trading act. Any CERT which offers its services on-line must arrange to display the general terms and conditions in this way to ensure that the user cannot refer to the fact that the general terms and conditions were not made available promptly.
Drawing up general terms and conditions is not explicit for a government alerting service. It is recommended that each alerting service uses general terms and conditions and makes them available in an appropriate way which also meets the legal requirements placed upon the on-line provision of information services.
Market and government
Because the alerting service is financed by the Ministry of Economic Affairs, it is possible that it may be suggested - by market parties who offer similar services - that the Ministry of Economic Affairs is competing with their business in the form of the alerting service. The Market and Government issue affects the question of the conditions under which a government department may carry out market activities, so that it avoids affecting competition relationships. By clearly communicating the fact that the alerting service has a right to exist from GOVCERT.NL because no market parties can offer a similar service to that offered by the alerting service, as well as the fact that the alerting service is inextricably linked to the execution of the public tasks of the Ministry of Economic Affairs - specifically internet security - avoids any chance that commercial alerting services could successfully invoke the market and government issue.
Extent of liability
A broad public is informed of computer viruses and software vulnerabilities via the alerting service. Information on ICT related security incidents received by GOVCERT.NL is translated into facts in alerts to the public by the alerting service. Within this framework, it is possible to distinguish two types of liability as follows:
- The alerting service's liability for, for example, incorrect or too late reports (legal liability);
- Any continuation of the legal liability by the Minister of the Interior and Kingdom Relations as a consequence of the fact that GOVCERT.NL facilitates the alerting service for the Ministry of Economic Affairs. (contractual liability).
Legal liability
Since ICTU is a legal entity, a direct relationship is created between ICTU and a user of the alerting service.
To give this relationship between ICTU and the user of the alerting service a legal form and to identify the liability risks run by ICTU due to the provision of the services from the alerting service, general terms and conditions have been drawn up (see also paragraph 7.3.1). These general terms and conditions contain an appropriate exoneration clause. A disclaimer is also shown on the website which clearly states that the alerting service has an obligation to make a suitable effort for the services it offers. Users are also always sent a disclaimer with each individual report. The report also states the source of the information.
To conclude, in the event that legal liability is successfully invoked, ICTU has concluded professional liability insurance to cover any damages.
Contractual liability
Contractual liability is specified in the (programme) agreement between the Minister of Economic Affairs and the ICTU Foundation.
With regard to any claims for damage caused to third parties as a consequence of alerts and / or advice from the alerting service which was based on incorrect and / or insufficient information (legal liability), it is recommended that all alerting services take out professional liability insurance.