Data breach notification requirements
As companies grow increasingly global, they must navigate a shifting landscape of data protection laws, with new and amended rules coming into effect each month. In particular, with the increasing risk of security incidents paired with a multinational base of consumers, employees and business operations, these global companies face a dizzying range of data breach notification obligations. The first data breach notification law was California’s SB 1386, which came into effect on 1 July 2003. Since then, these statutes have proliferated throughout the United States and around the globe, most recently culminating with the mandatory personal data breach notification requirements of the European Union’s General Data Protection Regulation (GDPR), which came into effect on 25 May 2018.1 Data breach notification laws generally apply based on the residence of potentially affected individuals rather than the specific location of the data breach or the company’s geographic base of locations. For instance, European breach notification laws also apply to companies that are not established in the European Union but process data of individuals who are in the European Union.
Notification obligations vary widely from country to country and even from state to state within the United States, apart from the GDPR, which generally provides for EU-wide rules. For example, laws often vary in:
• how they define what data is considered personal information;
• which events are considered a breach;
• when the notification obligation is triggered;
• who must be notified in a given situation, including potentially affected individuals and government authorities;
• the timing, format, contents and method of delivering these notifications;
• the exceptions and exemptions that mitigate the necessity to provide notifications; and
• the penalties and rights of action available when companies fail to provide timely or proper notice.
Recent high-profile ransomware attacks provide a timely example of the variations among data breach notification laws. Even within the same jurisdiction, a ransomware attack may be treated differently under otherwise applicable data breach notification obligations. For example, a ransomware attack may be considered a breach requiring notification under one set of legal requirements, while under another set of laws of the same jurisdiction, such an event may not qualify as a breach, or it may fall within an exception, such as for a limited risk of harm or because the data at issue was encrypted. In addition, many jurisdictions have not explicitly enacted data breach notification laws, but may nevertheless issue strong guidance encouraging companies to voluntarily provide notifications or maintain internal records of data security incidents.
While the United States has developed a significant body of state-level breach notification laws since the first law came into effect in California, for many global companies, the advent of the European Union’s GDPR framework in May 2018 represents a sweeping expansion of breach-related risks due to the greater jurisdictional exposure to mandatory notification obligations, tighter notification timeframes and the possibility of substantially higher penalties for noncompliance. Articles 33 and 34 of the GDPR require a company acting as a data controller to notify data protection authorities of a personal data breach ‘without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms’ of the affected individual. Similarly, with limited exceptions, a company acting as a data controller should also notify affected individuals ‘without undue delay’ ‘[w]hen the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons’. While China, Australia and other countries have recently adopted or amended mandatory data breach notification requirements, this article focuses on data breach notification laws in the United States and European Union to help practitioners tasked with investigating cross-border data incidents subject to these obligations.
In the United States, all 50 states,2 the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted laws requiring notification of data breaches that involve certain types of personal information. These statutes vary, but they typically require notification when there has been ‘unauthorised acquisition of’,3 ‘access to’,4 or ‘a reasonable belief of unauthorised acquisition of’5 personal information.6
Most state data breach notification statutes define ‘personal information’ to include an individual’s name in combination with certain unencrypted sensitive data elements, including:
• social security number or other government-issued identification numbers;
• financial account or payment card numbers (usually in combination with any code or password that allows access to an individual’s account); or
• health or medical information.7
The term ‘unauthorised acquisition’ is not explicitly defined under the various state laws, but it is generally understood to involve more than mere ‘access’. For example, access involves viewing or having the ability to view or access a file without actually downloading, printing, or electronically or manually copying the information. The New York and Alabama statutes and California’s informal breach guidance each reference similar factors for determining whether there was unauthorised acquisition:
• indications that the information is in the physical possession and control of a person without valid authorisation, such as a lost or stolen computer or other device containing information;
• indications that the information has been downloaded or copied; and
• indications that the information was used by an unauthorised person, such as fraudulent accounts opened or instances of identity theft reported.8
By contrast, other states define ‘breach’ in terms of mere unauthorised access to personal information, rather than requiring acquisition.9 Under this approach notification obligations may exist even in the absence of exfiltration of data. The states that take this approach are Connecticut, Florida, New Jersey and Rhode Island. In reviewing the definitions of personal information in these states, at least in Florida and Rhode Island, unauthorised access to an online account username and password alone would be sufficient to trigger notification obligations.
For states that require notification only upon unauthorised acquisition (as opposed to mere access), further investigation may be necessary to determine whether data was actually exfiltrated (or if it is reasonably likely to have been exfiltrated). If data was actually exfiltrated, then the investigation will turn first to determine the nature of that data and second to ascertain the states of residency for the individuals to whom the data relates. To determine whether data was exfiltrated, forensic examination of affected systems is often required. This may include, for example, reviewing available logs; if the log analysis does not provide sufficient detail to assess this key question, it may be necessary to review the contents of the affected devices to determine the type of data potentially affected. If the personal information (as defined in the law of the state of residency for each affected individual) was reasonably likely to have been exfiltrated, then that state’s general data breach notification law is likely to be triggered, unless an exception applies. Depending on the residency of affected individuals, applicable state law may also require notification to state government authorities if even one resident is affected or if a threshold total of state residents are affected.
Forty-four10 states’ and territories’ breach notification laws do not require notification to individuals if the organisation determines that the incident does not pose a risk of harm to affected individuals. The risk of harm standard varies among the states. A number of states’ laws refer generally to the risk of misuse of the personal information, while other states’ laws refer more specifically to the risk of identity theft, fraud or economic loss. Some states require law enforcement to be consulted in making this determination. Also, some states require written documentation of the risk-of-harm analysis to be submitted to the state regulator if notice will not be made due to the conclusion that there is no risk of harm.11
Several states have moved from simply requiring notice of breaches after they happen towards setting out more prescriptive standards aimed at prevention of data breaches. At least 20 states impose various levels of data security requirements on businesses (or a particular class of business, depending on the statute) that collect personal information about residents of that state.12 While there are some variations, most of these laws do not contain many specific data security requirements, instead requiring only that businesses implement and maintain ‘reasonable’ procedures to safeguard personal information.13 Some states require businesses that contract with third-party service providers to take additional steps to ensure the security of the data transferred to those providers.14
The most detailed among the state information security laws is the Massachusetts law titled Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts. The comprehensiveness of the Massachusetts law has led many companies to view these standards as a reasonable proxy for compliance with other information security legal standards in the United States.
The GDPR is a regulation under EU law, meaning that it applies directly to all 28 member states of the European Union. Consequently, while EU governments may draft implementing legislation, the general requirements of the GDPR will apply throughout the European Union whether an individual member state enacts implementing legislation or not. Nevertheless, individual member states can implement derogations from the GDPR requirements. Such derogations are expected to be limited in scope, meaning that the consistency of data protection requirements across member states is expected to be enhanced under the newly enacted GDPR framework. The GDPR has repealed the Data Protection Directive 95/46/EC (the Directive).
Under the GDPR, data protection authorities in each of the member states have expanded supervisory and enforcement authority as compared to their powers before the GDPR came into effect. This includes the authority to fine organisations, including controllers and processors, up to €10 million or up to 2 per cent of their global annual turnover (depending on the nature and severity of the incident) for failing to notify data protection authorities or affected individuals, as may be required under articles 33 and 34. Additionally, the newly created European Data Protection Board15 now plays a greater role in ensuring consistent application of the GDPR across the European Union.
The GDPR has a greater jurisdictional reach than the Directive it replaced, and thus it applies to many more organisations. Specifically, under the GDPR, processors are now subject to direct legal obligations – although these obligations are not as comprehensive as those applying to data controllers. Processors are organisations that only process personal data on behalf of another organisation (the data controller). The data controller retains overall responsibilities for the protection of personal data, but the processor has an important role to play to enable the data controller to comply with its obligations, including personal data breach notifications. Additionally, organisations not established in the European Union but who offer goods or services to individuals in the EU or monitor their behaviour also must comply with the GDPR. For example, a company based in the United States with a consumer base including EU-based individuals (to whom it targets goods or services) will be expected to comply.
With regard to personal breach notification obligations under the GDPR, unlike in the United States where a breach typically involves unauthorised access to or acquisition of a certain set of covered data elements, the GDPR defines a personal data breach as ‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed’. The GDPR only applies where there is a breach of personal data, meaning that breaches affecting other data are not reportable under the GDPR. The GDPR also has a much broader definition of ‘personal data’ than the limited set of sensitive data elements typically included in US breach statutes: under article 4(1), personal data means any information relating to an identified natural person or to an identifiable natural person, meaning someone who can be identified directly or indirectly by reference to an identification number, location data, online identifier or to certain other identifying characteristics. Needless to say, the GDPR’s approach extends far beyond that of US data breach statutes, and many more data security incidents may be considered a breach under GDPR, including ransomware events.
Data controllers have specific obligations under article 25 to implement the principle of data protection by design and default into their processing operations when building databases and systems. This obligation underscores the need for organisations to consider data protection compliance at the start of a project so that data protection rules can be appropriately integrated.
As part of this process, data protection impact assessments (DPIAs) are mandatory when a particular proposed data processing activity is likely to result in a high risk to the rights and freedoms of individuals. DPIAs are in large part meant to help organisations prepare for, prevent against and mitigate the consequences of a personal data breach. The process of performing a DPIA involves assessing the likelihood and severity of risks involved in the proposed data processing, as well as the measures and safeguards that can be introduced to mitigate risks. Large-scale processing operations affecting many people and processing activities involving certain sensitive categories of data (called ‘special categories of data’ under article 9) both carry higher risks to individuals and are more likely to require a DPIA.
The GDPR introduced an obligation to report personal data breaches to data protection authorities and, in some cases, to affected individuals. As with the GDPR generally, this is a comprehensive obligation and is not industry-specific; instead, this obligation is triggered if the personal data breach is likely to result in a risk to individuals. The obligation under article 34 to notify affected individuals is only triggered where the breach could result in a high risk to individuals. A data controller does not need to notify individuals when:
• the personal data at issue has been subjected to certain measures, such as encryption, that make it unintelligible to unauthorised recipients;
• the data controller has taken measures to reduce the risk; or
• if notification would involve efforts disproportionate to the risks to affected individuals (in which case a data controller may instead make a public announcement).
Regardless of whether or not a personal data breach triggers notification requirements, the controller must keep documentation of all personal data breaches and its reasoning for the decisions taken in response to a personal data breach. This obligation is linked to the accountability principle of the GDPR.
Due to the complex nature of incident response and personal data breach investigations, it may be difficult for an organisation to determine whether in fact a breach, as defined by law, has occurred, particularly within the 72-hour window to notify authorities provided by the GDPR.16 The Article 29 Working Party considers that the 72-hour window starts when the data controller has a ‘reasonable degree of certainty’ that a security incident has occurred that has led to personal data being compromised, or once the processor has informed the data controller of the breach (ie, ‘becomes aware’). In the United States, the time frame for providing required notifications is typically based on when the organisation determines a breach has occurred, not merely when it became aware of an incident. In the first 72 hours after discovering an incident, it may not be possible to conduct the necessary forensics to determine, for example, the nature of the affected information or the individuals to whom it relates (if any). Such an expedited investigation and breach analysis period may result in more ‘false positive’ personal data breach notifications in the European Union than in the United States, although guidance from the Article 29 Working Party indicates that organisations may opt to provide an initial notice to authorities that can be subsequently updated once a more robust investigation has taken place. While the value of providing initial notifications to authorities without details remains to be seen, organisations should nevertheless take steps to prepare for a rapid response to any personal data breach that may be subject to the GDPR. Ensuring adequate response capability and effective processes to be able to respond to an incident and execute any GDPR-required notifications in prompt manner will be critical for compliance.
Another area given greater importance under the GDPR involves adherence to codes of conduct to demonstrate compliance. Data protection authorities encourage the development of codes to take account of specific features of particular industries and sectors. If a data protection authority approves a particular code, adherence can be relied upon by organisations to demonstrate compliance with other aspects of the GDPR. (Consequently, industry sectors may explore developing a code tailored for their specific requirements.) Data controllers and processors may similarly demonstrate compliance by obtaining a certification recognised under the GDPR. It remains to be seen whether any of the standards or guidance frameworks developed by various national and international standards bodies, government agencies and trade organisations may be recognised as a code of conduct or certification.
If an organisation encounters a data security incident involving residents of multiple countries, in determining whether to notify individuals or government authorities, the organisation may face a substantial burden to analyse all potential legal requirements under each jurisdiction in which affected individuals reside. As a result, organisations may elect to notify the entire group of affected individuals, regardless whether a legal obligation would require notification to every individual. This approach may reduce the analytical burden of conducting a multi-jurisdictional breach analysis. Instead, the company’s decision to notify the broader group of affected individuals allows the focus of incident and data breach response efforts to shift to ensuring prompt notification, with consistent messaging. In the event notification is required in some or all jurisdictions, the organisation’s promptness and consistency may aid in managing the overall perception of the incident and the organisation’s response, potentially reducing the risk of litigation and reputational harm to the company, regardless of jurisdiction. Depending on a company’s consumer base, geographic scope of business operations, applicable laws and regulations, and the specific facts of an incident, it may be possible for a company to engage in a complex, multi-jurisdictional breach analysis and determine that it ultimately has no notification obligations. However, the global trend towards the adoption of data breach notification requirements makes it increasingly unlikely a company will avoid notifications altogether.
Organisations can prepare in advance by:
• developing a holistic, enterprise-wide incident response plan;
• engaging in periodic cybersecurity exercises to stress-test such plans and the capabilities of the company to respond; and
• monitoring legal developments as data breach notification laws continue to proliferate.
Companies with EU-facing operations are likely to benefit across jurisdictions from incorporating privacy by design principles and conducting required DPIAs to assess risks, and they may also benefit by participating in industry-specific efforts to develop codes of conduct that establish benchmarks for GDPR compliance in such a way that they harmonise with existing data breach notification obligations across other jurisdictions.
1 Discussions of industry-specific regulations, such as those that may apply to the energy, health, or financial sectors, are beyond the scope of this article.
2 Alabama and South Dakota each passed data breach notification statutes in 2018, with Alabama’s statute taking effect as of 1 June 2018, and South Dakota’s statute taking effect on 1 July 2018.
3 See, eg, Ark. Code Ann. section 4-11—103(1)(A).
4 See, eg, NJ Rev. Stat. section 56:8-161.
5 See, eg, Alaska Stat. section 45.48.090(1).
6 Some US state statutes use variations of this language, such as ‘unauthorised access and acquisition’, ‘unlawful and unauthorised acquisition’, ‘unauthorised acquisition or acquisition without valid authorisation’, and ‘unauthorised acquisition or unauthorised use’.
7 Not every state requires an individual’s name in combination with an additional sensitive data element. Some states instead define ‘personal information’ to include a single unencrypted data element; for example, Indiana’s definition of personal information includes a social security number on its own, whether accompanied by an individual’s name or not.
8 See 2018 Ala. Laws No. 396; NY Gen. Bus. Law Section 899-aa(1)(c); Cal. Dep’t o Consumer Affairs, Office of Privacy Protection, Recommended Practices On Notice Of Security Breach Involving Personal Information 11 (January 2012). Alabama’s recently enacted statute also includes a fourth factor: ‘whether the information has been made public’.
9 See, eg, Conn. Gen. Stat. section 36a-701b(1); Fla. Stat. section 501.171(1)(a).; NJ Stat. section 56:8-161; RI Gen. Laws section 11-49.3-3(1).
10 This count includes South Dakota, whose breach notification statute became effective 1 July 2018. The following states and territories do not contemplate a risk of harm analysis in the text of their breach statutes: California, District of Columbia, Georgia, Illinois, Minnesota, North Dakota, Puerto Rico, Tennessee, Texas, and the Virgin Islands.
11 See, eg, VT Stat. Tit. 9 section 2435(b)(3)(B).
12 These states include Arkansas, California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kansas, Louisiana, Maryland, Massachusetts, Minnesota, Nebraska, Nevada, New Mexico, Oregon, Rhode Island, Texas and Utah.
13See, eg, Tex. Bus. & Com. Code section 521.052.
15 For example, under the Maryland Personal Information Protection Act, a business that discloses personal information to a third-party service provider must contractually require the third-party to implement and maintain reasonable security procedures and practices. Other states, such as Minnesota, call for companies that use payment card readers to comply with at least part of the Payment Card Industry Data Security Standard (PCI-DSS). Nevada requires that companies encrypt sensitive personal information if transferred.
16 The European Data Protection Board or EDPB is essentially an updated and renamed version of the Article 29 Working Party, which consisted of various member state data protection authorities and issued non-binding guidance in the lead up to GDPR’s enactment in May 2018.
16 Note that article 33 of the GDPR qualifies the 72-hour time frame with the language ‘where feasible’, which may factor into breach determinations where the implications of an incident remain unclear after 72 hours.