Rb. Rotterdam - C/10/655051 KG ZA 23-243

From GDPRhub
Revision as of 11:38, 18 April 2023 by Ls (talk | contribs)
Rb. Rotterdam - C/10/655051 KG ZA 23-243
Courts logo1.png
Court: Rb. Rotterdam (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 28(3) GDPR
Decided: 06.04.2023
Published: 06.04.2023
Parties: Blauw Research B.V.
NEBU B.V.
National Case Number/Name: C/10/655051 KG ZA 23-243
European Case Law Identifier: ECLI:NL:RBROT:2023:2931
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Rb. Rotterdam C/10/655051 KG ZA 23-243 (in Dutch)
Initial Contributor: Matthias Smet

A processor suffering a cyber attack should provide all information to the controller to enable it to investigate the attack and must update the controller on the state of affairs and whenever new information is available.

English Summary

Facts

In this decision, a controller had a processing agreement with a service provider (processor) active in the design of surveys.

On 10-11 March 2023, the processor was victim to a cyber attack in which third parties have gained unauthorized access to its servers and data has been extracted. The processor informed the controller about it two days after the attack took place. The controller requested more information and the processor confirmed that data (passwords) have been stolen and personal data (stored in cloud databases and surveys) have been leaked.

The controller considered that based on the processing agreement, the processor must provide information regarding security incidents and data breaches at all times. He also argues that the information provided following the cyber attack was not sufficient to meet the requirements set out in the agreement. The processor did not dispute that information must be provided, but objected to the scope of the information requested.

As a result, the Controller claimed to order the processor to:

  1. provide information about (i) details of the cyber attack; (ii) how and with what methods the system was recovered after the attack; (iii) an overview of which customers' personal data were leaked; (iv) the perpetrators of the attack; (v) which preventive and reactive technical and organisational measures were taken; (vi) internal reporting within the organization of the processor about the cyber attack that has taken place;
  2. in the future, within 4 hours after new information is available, transfer this information to the controller and send an update on the state of affairs twice a day (at 14:00 and 19:00);
  3. appoint a forensic investigator to find out the root-cause analysis; and
  4. provide all necessary assistance and to answer all controller's questions.

Finally, the controller claimed a penalty of €25,000 per day with a maximum of €500,000 in the event of non-compliance with one of the above sentences. The processor considered this amount as unreasonable.

Holding

The preliminary relief judge upheld the claim, but in a watered-down form.

The Court ruled that the processor must provide all the requested information in order to enable controller to investigate the cyber incident in a proper manner.

With regards to the claim to inform the controller of new information within four hours the Court states that this will only apply when (i) a new cyberattack occurs (ii) new information shows that personal data of controller were compromised or (iii) information about the perpetrators is known. In all other cases a daily update at 18:00 seems reasonable.

Concerning the appointment of an external forensic researcher the Court confirmed that within the framework of the instruction right of the controller, it can appoint an external researcher/auditor to check whether personal data is processed securely.

Finally, the Court considered the amount of €25,000 per day was not unreasonable and added it to the judgement.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Authority
Court of Rotterdam
Date statement
06-04-2023
Date publication
06-04-2023
Case number
C/10/655051 / KG ZA 23-243
Jurisdictions
Civil rights
Special characteristics
summary judgment
Content indication
Judgment in interlocutory proceedings following a cyber attack resulting in a data breach. The client of the ICT company affected by the cyber attack is entitled to more information on the basis of the processing agreement concluded between the parties. The ICT company is also ordered to have an independent forensic investigation carried out.

Locations
Rechtspraak.nl
Enriched pronunciation
Pronunciation
verdict

ROTTERDAM COURT
Trade and port team

case number / roll number: C/10/655051 / KG ZA 23-243

Judgment in summary proceedings of 6 April 2023

in the case of

the private limited liability company

BLUE RESEARCH B.V.,

established in Rotterdam,

plaintiff,

lawyers mrs. V. van Druenen, C.R.F. Plaizier and F.L.M. van de Wetering in Amsterdam,

in return for

the private limited liability company

NEBU BV,

located in Wormerveer,

defendant,

lawyers mrs. J.G. Reus, T.J.M. de Weerd and A.M. van Aerde in Amsterdam.

Parties are hereinafter referred to as Blauw and Nebu.

1. The case in brief
1.1.
Blauw is a market researcher who uses Nebu's ICT services. On March 10 and 11, 2023, a cyber attack took place on Nebu's servers. In addition, data was stolen by the attackers. This has meanwhile led to various companies, including the Dutch Railways and VodafoneZiggo, warning a large number of customers that personal data has (possibly) become public.

1.2.
In these interlocutory proceedings, Blauw demands further information from Nebu about the attack, its consequences and the measures taken by Nebu. She also asks for an independent forensic investigation. Nebu does not dispute that it must provide information to Blauw, but has objections to (the extent of) the requested measures.

1.3.
Blue's claims are largely upheld, some in a watered-down form. The following explains why.

2.The procedure
2.1.
The course of the procedure is evidenced by:

-
the summons of March 28, 2023 and the deed with exhibits 1 to 31 of Blauw;

-
the deed change of claim (increase of claim) of Blauw;

-
the deed with supplementary exhibits 32 to 55 by Blauw;

-
the oral hearing of 4 April 2023;

-
Blue's plea paper;

-
Nebu's plea.

2.2.
The day after the oral hearing, the parties attempted to reach a settlement. This was not successful.

2.3.
Finally, verdict has been determined.

3. The facts
3.1.
Blauw is a market research agency. Among other things, it conducts customer satisfaction surveys for its customers.

3.2.
Nebu is an ICT company. Among other things, she develops software for market research agencies to distribute (digital) questionnaires and to conduct more targeted market research. Nebu is part of the Enghouse group.

3.3.
Blauw uses the services and software of Nebu. Nebu processes personal data as referred to in the General Data Protection Regulation (hereinafter: GDPR).

3.4.
In March 2018, Blauw and Nebu concluded a processing agreement as referred to in Article 28 paragraph 3 of the GDPR, called the Data Processing Agreement (hereinafter: the DPA).

3.5.
The DPA determines, among other things:

“5. Duty of disclosure and incident management

5.1 [
Nebu] immediately notifies [Blue] of any incident in relation to the processing of personal data. In the event of an incident, [Nebu] will fully cooperate with [Blue] and follow the instructions issued by [Blue] in respect of this incident. This will enable [Blue] to carry out a proper investigation into the incident, to formulate a correct response and to take appropriate follow-up steps in respect of the incident. If an immediate notification is not possible, [Nebu] will notify [Blue] at least within 24 hours after an incident occurring.

5.2
The term "incident" as used in this article includes but is not limited to:

a) every unauthorized or unlawful processing, removal or loss of personal data;

b) every violation of the security or confidentiality as stipulated in articles 3 and 4 of this processor's agreement, which results in unlawful processing, removal or loss of personal data, or any indication that such violation will occur or has occurred.

5.3 [
Nebu] has procedures and protocols in place that enable him to give [Blue] an immediate response to an incident, and to effectively work with [Blue] in order to investigate the incident, to respond to it and to deal with it. On [Blue]'s first request, [Nebu] will provide [Blue] with copies of such procedures and protocols.”

3.6.
On March 10 and 11, 2023, Nebu was hit by a cyber attack. Third parties have gained access to Nebu's servers and information has been downloaded. It is currently unknown whether data from Blauw and its customers (and their customers) has been stolen.

3.7.
On March 13, 2023, Nebu reported to Blauw and other Nebu customers that there is a malfunction in its services, as a result of which its services have been taken offline. She also sent several updates that day. It was not yet reported that there was a cyber attack or a (possible) data breach.

3.8.
On March 14, 2023, Blauw Nebu requested further information. More specifically, she asked if any data had been leaked.

3.9.
On March 14, 2023, 11:13 p.m., Nebu Blauw and other Nebu customers reported that a cyber attack took place on Friday, March 10, 2023 on Nebu's production environment in the Netherlands and that the services were therefore unavailable. Nebu announced a forensic investigation.

3.10.
On March 15, 2023 and the following days, Blauw and later her lawyer repeatedly (almost daily) asked Nebu questions about the cyber attack and its consequences and/or insisted on a speedy answer.

3.11.
Nebu sent an update to Blauw and other Nebu customers on March 20, 2023 about the restart of its RDP (remote desktop protocol) service. The update does not contain any information about the cyber attack. On March 21, 2023, Nebu wrote to Blauw that she currently had no information to provide other than the information contained in the update.

3.12.
Nebu provided an update to Blauw and other Nebu customers on March 24, 2023. It stated, among other things, that passwords had been stolen and that Nebu had determined that the cyber attack had led to 'a data breach of surveys and data stored in the cloud databases'.

3.13.
Following this latest update, Blauw's lawyer asked for further information on March 25, 2023. On March 26, 2023, Blauw's lawyer asked for confirmation whether the reported data breach meant that data had been stolen by the attackers.

3.14.
In an email dated March 27, 2023, Nebu confirmed to Blauw that it was ransomware software and that data had been exfiltrated (read: stolen) by the attackers. Nebu also (briefly) discussed the measures taken by Nebu in that e-mail.

3.15.
From March 27, 2023, Blauw's lawyer and Nebu continued to email, with Blauw requesting further information and Nebu providing more information.

3.16.
Nebu has conducted an internal investigation into the cyber attack. She handed over a report of this to Blauw at the oral hearing of these preliminary relief proceedings.

4. Dispute
4.1.
Blue claims, after amendment of the claim, to be provisionally enforceable by judgment:

1) order Nebu to provide Blauw with the following information about the security incident described in the summons within one working day after the judgment has been rendered:

(i) all available information related to the cyber-attack, including a full account of initial access and the actions of the attackers from the time they gained access to the systems through Nebu taking its systems offline in response to the attack;

(ii) all available information on remediation of Nebu's systems, including the method and tooling used to "scan" the systems for residual malicious software, data and other vulnerabilities;

(iii) all available information about (the investigation into) the data exfiltration, including the indicators that indicate data exfiltration, the analysis of those indicators and which data of Blauw and/or its customers has been exfiltrated;

(iv) all available information about the attackers, including Nebu's analysis of the attackers' conduct, an explanation of Nebu's considerations in choosing not to contact the attackers, and sending the ransom note, that is, the text file found by Nebu that was left on its systems by the attackers, as well as any other messages it received from the attackers;

(v) all available information about the technical and organizational measures taken and planned by Nebu in response to the incident, including internal and external recommendations thereon and the status of their follow-up;

(vi) all available information and findings from the internal investigation into the incident;

2) to order Nebu to immediately and in any case within 4 hours after becoming aware of this, inform Blauw in writing of new information regarding or related to the security incident described in the summons;

3) order Nebu to provide Blue with a written update twice a day for four weeks after the judgment has been rendered or as much longer as relevant developments have taken place with regard to the security incident described in the summons:

(i) any relevant developments related to the security incident,

(ii) the forensic investigation into the cause and (possible) consequences thereof, and

(iii) an answer to any questions Blue may have regarding the incident,

every day at 11:00 AM and 7:00 PM Dutch time;

4) order Nebu to make available to Blauw a copy of the report drawn up by it as a result of its internal investigation into the incident (if any), in which personal data may be included if necessary, within 24 hours after the judgment has been rendered; anonymized;

5) Convict Nebu to:

a. immediately after the verdict is passed, instruct a third party to conduct an independent forensic investigation into:

(i) the cause (root cause) of the incident,

(ii) the extent to which data exfiltration has taken place and

(iii) the measures taken by Nebu in response to the cyber attack, and

b. to deliver the final report describing the results of this investigation within four weeks after the date of the judgment,

stipulating that the party to be designated by Nebu must possess (demonstrable) expertise and qualifications in the field of cyber security and conducting forensic investigations in that context;

6) order Nebu to make available to Blauw a copy of that report within 24 hours after the report of the investigation referred to under (5) has become available, in which personal data may be anonymized if necessary;

7) order Nebu to keep all data, information and documentation, in any form (including digital), that is currently available or will become available at a later time in relation to the incident, available for its own and /or Blue forensic (counter) investigation, including - but not limited to - the following data:

a. with respect to the computer (laptop) accessed: (i) the Windows Systems system logs, (ii) jumplists (display of recently or frequently used documents), (iii) shellbags (information about an open folder), (iv) autorun items, (v) LNK files (created automatically by Windows when a folder or file is opened or program is run), (vi) memory, (vii) prefetch files, (viii) registry, (ix) recycle bin and ( x) Windows services;

b. with respect to the perimeter: (i) the proxy logs and (ii) the incoming and outgoing FW logs;

c. regarding the Nebu core infrastructure: (i) the active directory timeline, (ii) authentication logging, (iii) application logging, (iv) data loss prevention ("DLP") logging, (v) event logging, (vi) file integrity monitoring ("FIM") logging, (vii) Honeypot logs, (viii) SQL Server ("MSSQL") logs, (ix) Powershell logs, (x) task scheduler logs, and (xi) Windows Management lnstrumentation ("WMI") ") logs; and

d. with respect to the Google Cloud Platform ("GCP"): (i) admin activity log, (ii) data access audit log, (iii) system event audit log, (iv) policy denied audit log and (v) SQL logs.

8) to order Nebu to immediately and in any event within 24 hours after a request thereto from Blauw provide all other cooperation required by Blauw in connection with the incident;

9) order Nebu for each of these claims separately to pay a penalty of EUR 25,000.00 for each day that Nebu fails to comply with this, with a maximum of EUR 500,000.00, at least a penalty to be determined by the preliminary relief judge in good justice penalty, and

10) order Nebu to pay the legal costs and subsequent costs, plus interest.

4.2.
Nebu defends. The defense seeks to dismiss the claims.

4.3.
The arguments of the parties will be discussed in more detail below, insofar as relevant.

5.The assessment
Urgent interest
5.1.
The urgency of this summary proceedings follows from the nature of the claims filed.

Starting point for the assessment

5.2.
Pursuant to Article 5.1 of the DPA, Nebu is obliged to inform Blauw about incidents related to the processing of personal data and to follow Blauw's instructions in such a case. It is not in dispute that the March 2023 cyberattack falls within the scope of this article. There is a dispute between the parties to what extent Blauw's right of instruction extends under Article 5.1 of the DPA. Blue favors a broad interpretation of this provision, Nebu advocates a (slightly) more limited interpretation.

5.3.
In the provisional opinion of the preliminary relief judge, Blauw's right of instruction and Nebu's obligation to comply with it must be interpreted broadly. Blauw's right of instruction is intended, as appears from the text of Article 5.1, to enable Blauw to properly investigate an incident involving personal data, to determine its response to it and to take appropriate steps if necessary. So Nebu must cooperate in this, and she must do so in a loyal and generous manner. As a result of the collaboration with Blauw, Nebu has access to personal data of a large number of people (‘a substantial part of the Dutch population’, as Blauw undisputedly states). The consequences of a (possible) data breach of that data can be major. This does not mean that the right to provide instructions is interpreted in a limited way.

5.4.
The preliminary relief judge is therefore of the opinion that instructions from Blauw must be followed by Nebu under Article 5.1 of the DPA, unless:

(i) it cannot reasonably be seen that this is necessary for the purpose of Article 5.1 of the DPA (as apparent from the third sentence of this Article), or

(ii) Blauw apert makes unreasonable demands, for example unreasonably short terms.

Claim 1 (provision of all currently available information)

5.5.
Blue advances to order Nebu first of all to provide information about the incident that occurred at Nebu in March 2023. It can be admitted to Nebu that the claim is formulated broadly. However, the judge in preliminary relief proceedings follows Blauw in her reasoning that she was forced to formulate her claims in this way because she had received limited information from Nebu prior to this preliminary relief proceedings.

5.6.
Against this background, the various sub-claims 1.(i) to 1.(vi) are judged as follows.

-
i) Claim 1.(i) relates to the question of what happened during the cyber attack. It should be clear that Blue is entitled to this information. This claim will therefore be awarded in the manner set out below.

-
ii) Claim 1.(ii) requests information on how and by what methods the system was restored. This claim is also granted, because it is important for Blauw to know whether her data is now safe.

-
iii) With the claim under 1.(iii), Blauw wants to find out which customers' personal data have been leaked, or perhaps more accurately: to check the correctness of Nebu's conclusion that it cannot be determined whether personal data of Blauw's customers have been leaked . The uncertainty about this is a real problem for them. This claim will therefore be granted, especially now that it has been indicated at the hearing that Blauw will provide Nebu with a list of its customers for the sake of certainty (in this way problems with the implementation of this judgment can be avoided).

-
iv) The claim under 1.(iv) pertains to the question of who the perpetrators of the cyber attack are. Blauw has a legitimate interest in this information, so this claim is also allowed. After all, this information can help it to estimate the risk of the data breach.

-
v) The claim under 1.(v) is an extension of the claim under 1.(ii), namely that Blue can check whether its data is now safe. This claim will be awarded in the manner set out below.

-
vi) Claim 1.(vi) pertains to the provision of information from the internal reporting. Nebu's internal report was provided at the hearing, but the data and information on which the findings in Nebu's report are based were not provided. It is not unreasonable that Blauw wants to receive this information and the claim will therefore be awarded.

5.7.
In the foregoing, the preliminary relief judge has taken into account that no independent forensic investigation has taken place or even started so far. This makes it more reasonable that Blue wants information than in the situation that Nebu immediately ordered an independent investigation. The inevitable consequence is that possibly business confidential information from Nebu may come into the possession of Blauw. The preliminary relief judge assumes that Blauw will handle the information it will obtain as a result of this judgment in a prudent manner.

Claim 2 and 3.(i) and (ii) (provision of future information) 1

5.8.
Claims 2 and 3.(i) and (ii) lend themselves to a joint treatment, because it always concerns information that has yet to be obtained. In the opinion of the preliminary relief judge, Blauw is asking too much on this point. The progress means that Nebu must always provide Blue with new information about the incident without delay and in any event within four hours of becoming aware of it, and must also send an update twice a day. Given the current state of affairs - the cyber attack was a few weeks ago and Nebu's services to Blauw are at a standstill - this is an excessive occurrence, except in the case of (i) a new cyber attack, (ii) information showing whether data from Blauw whether or not they were stolen in the cyber attack and (iii) information about the identity of the perpetrators. For the other information about the cyber attack, the preliminary relief judge considers a daily update at 6:00 p.m. Dutch time reasonable.

5.9.
This means that claims 2 and 3.(i) and (ii) are awarded in the manner set out below.

Claim 4 (provision of Nebu's internal reporting)

5.10.
Nebu submitted its internal report at the oral hearing of this preliminary relief proceedings. This means that claim 4 has been satisfied and does not require further processing.

Claim 5 and 6 (appointment independent forensic investigator)

5.11.
Blauw demands that an external party conduct an independent investigation into the cause of the incident, the extent to which data exfiltration has taken place and the measures Nebu has taken in response to the cyber attack. Nebu stated at the hearing that it cannot yet indicate whether data from (the customers of) Blauw has been exfiltrated. This means that Nebu was unable to find out for itself within a period of a few weeks. Under this circumstance, also in view of the large amount of personal data involved in this matter and in light of the initially limited information that Nebu provided to Blauw, the preliminary relief judge classifies the claim for the appointment of a forensic investigator under Blauw's right of instruction pursuant to Article 5.1 of the DPA. The fact that Blauw can choose to have an audit done at Nebu under the DPA does not detract from this. Claim 5 will therefore be awarded as stated below.

5.12.
Blue further demands that the investigator's report be provided to Blue as soon as it is ready. Blauw has a legitimate interest in obtaining this report as it relates to Blauw and its clients. Obviously, Blauw cannot claim the issue of a report containing information that does not concern Blauw, ie when it concerns other Nebu customers. Nebu can make the report illegible at that point. This also applies to the names of Nebu employees or other parties involved. The name of the expert should not be omitted.

Claim 7 (keep certain files available)

5.13.
Blauw is seeking an order to keep available all data, information and documentation that is available now or will become available at a later date. Nebu stated at the hearing that it would keep the available information available at the moment. This claim is therefore granted in the manner set out below. The enumeration of the data to be retained in the following sentence has been deliberately kept restrictive in order to avoid ambiguities in the execution of this sentence. In view of Nebu's undertaking, the preliminary relief judge does not consider it appropriate and necessary to impose a penalty as an incentive to comply.

Claim 8 (cooperation in the future) and claim 3(iii) (answer any questions from Blue)

5.14.
Blue demands that Nebu be ordered to provide all necessary cooperation in relation to the incident and to answer any questions Blue may have. Nebu argues that these claims are too indeterminate and that imposing a penalty on this conviction will lead to enforcement disputes. Nebu has a point that the claim is very broad, but it is not unreasonable that Blue wants a conviction on this point. The preliminary relief judge understands that the provision of information after a ransomware attack, especially in the days after the attack, can be complicated, but at the same time Nebu has obligations towards Blauw for whom it processes personal data. The provision of information was limited to this interlocutory proceedings. In order to somewhat meet Nebu's objections on this point, the preliminary relief judge will formulate the sentence in the manner set out below and will currently refrain from imposing a penalty for this sentence.

Claim 9 (penalty payments)

5.15.
Blue is claiming penalty payments of €25,000 for each day with a maximum of €500,000. These will be imposed, except insofar as it has been considered above that this will not happen for a specific conviction. The amount of the periodic penalty payments is not unreasonable and there is no reason for a lower maximum.

Other

5.16.
The preliminary relief judge will subsequently include various time limits in the dictum (the final paragraph of this judgment). In some cases this concerns the commencement date of Nebu's conviction, in other cases an end date is included in the conviction. In claim 3, Blauw asked for a sentence of four weeks or 'as much longer as there are relevant developments'. To avoid ambiguities about the end date and thus possible discussions about penalty payments, the preliminary relief judge has opted for fixed end dates. If provisions are still required afterwards, it can be determined in a possible further summary proceedings whether there is still a sufficient basis for this at that time.

5.17.
The preliminary relief judge will include in the operative part that the convictions under this judgment do not oblige Nebu to provide Blauw with legal advice from lawyers of Nebu and information that specifically relates to clients of Nebu other than Blauw. After all, this information does not concern Blauw.

5.18.
Nebu is ordered to pay the costs of the proceedings as the unsuccessful party. The costs on the side of Blue are estimated at:

serving summons

€106.73

court fee

€676.00

lawyer salary

€1,619.00

Total

€2,401.73

5.19.
The judgment of 10 June 2022 of the Supreme Court (ECLI:NL:HR:2022:853), under number 2.3, shows that no separate decisions need to be made in this judgment about subsequent costs and interest on this.

6. The decision
The preliminary relief judge:

6.1.
orders Nebu to provide Blauw with the following information about the security incident at Nebu in March 2023 within two working days after service of this judgment:

(i) all available information related to the cyber-attack, including a full account of initial access and the actions of the attackers from the time they gained access to the systems through Nebu taking its systems offline in response to the attack;

(ii) all available information on remediation of Nebu's systems, including the method and tooling used to "scan" the systems for residual malicious software, data and other vulnerabilities;

(iii) all available information about (the investigation into) the data exfiltration, including the indicators that indicate data exfiltration, the analysis of those indicators and which data of Blauw and/or its customers has been exfiltrated;

(iv) all available information about the attackers, including Nebu's analysis of the attackers' conduct, the text file found by Nebu left behind by the attackers on its systems, as well as any other communications it has received from the attackers;

(v) all available information about the technical and organizational measures taken and planned by Nebu in response to the incident, including internal and external recommendations thereon and the status of their follow-up;

(vi) the data and information underlying the findings of the internal investigation into the incident (this does not include a copy of the entire servers),

6.2.
orders Nebu to inform Blauw immediately and in any case within four hours after becoming known in writing about new information about (i) a new cyber attack at Nebu, (ii) information showing whether or not data from Blauw and its customers have been stolen from the cyberattack of March 2023 and (iii) information on the identity of the perpetrators of that attack; this conviction 6.2 expires on October 6, 2023, 6:00 PM Dutch time;

6.3.
orders Nebu to provide Blue with an update in writing daily at 6:00 PM Dutch time on:

(i) all developments relevant to Blue with regard to the security incident, and

(ii) the forensic investigation into the cause and (possible) consequences of the incident,

this conviction 6.3 expires on June 6, 2023, 6:30 p.m. Dutch time;

6.4.
orders Nebu to instruct an external party to conduct an independent forensic investigation into the cause (root cause) of the incident, the extent to which data exfiltration has taken place and the measures Nebu has taken within five working days of serving this judgment as a result of the cyber attack, subject to the following:

the party to be designated by Nebu must have demonstrable expertise and qualifications in the field of cyber security and conducting forensic investigations in that context;

Nebu must instruct the investigator(s) to prepare the final report within four weeks if possible;

6.5.
orders Nebu to make a copy of that report available to Blauw within 24 hours after the report of the investigation referred to under 6.4 has become available, in which report personal data may be anonymised and whereby data from Nebu customers other than Blauw (and its customers) may be omitted;

6.6.
orders Nebu to keep the data referred to in this judgment under 4.1 under 7, sub a to d, insofar as they are still available on the judgment date or become available afterwards, for forensic (counter) investigation to be carried out by itself or Blauw;

6.7.
orders Nebu to the extent within its power to answer any questions from Blauw about anything related to the cyber attack and to comply with its instructions within the limits referred to above under 5.3 and 5.4; this conviction 6.7 will expire on June 6, 2023, 6:00 PM Dutch time;

6.8.
determines that the convictions under this judgment do not oblige Nebu to provide Blauw with legal advice from lawyers of Nebu and information specifically relating to clients of Nebu other than Blauw (and its clients);

6.9.
orders Nebu to pay Blauw a penalty of € 25,000 for each day that she fails to comply with one or more of the main sentences pronounced under 6.1, 6.2, 6.3, 6.4 and 6.5, up to a maximum of € 500,000 in total has been reached;

6.10.
orders Nebu to pay the costs of the proceedings, estimated to date at € 2,401.73 on the part of Blauw, plus the statutory interest as referred to in Article 6:119 of the Dutch Civil Code on that amount with effect from the 15th day after service of this judgment until the day of full payment;

6.11.
hereby declares this judgment provisionally enforceable,

6.12.
rejects the more or otherwise advanced.

This judgment was rendered by mr. N. Doorduijn and pronounced in public on April 6, 2023.3608/1876

1 Claim 3 sub (iii) concerns the answering of any questions from Blue regarding the incident. This claim will be discussed together with claim 8 below.