Incident Response Planning in a Nutshell (Part 4/5)
As part of our 5-part series (part 1, part 2, part 3, part 5), this article dives deeper into the different jurisdictions that organizations in today’s globalized world may be subject to.
According to the Cyber Incident Management Planning Guide published by the IIROC, “companies have an obligation to be aware of the breach notifications in each jurisdiction in which they operate, and to have internal policies consistent with applicable law”.
Depending on where your organization operates and how it monitors individuals’ behavior, you may be subject to a variety of different jurisdictions and data breach notification standards, including:
Each jurisdiction imposes data protection standards with regards to when and how organizations should or must disclose data breaches. This allows individuals whose personal information has been compromised to take remedial steps to avoid potential adverse consequences, such as financial losses or identity theft.
Disclaimer: This article does not constitute legal advice. While it focuses on a selection of today’s common data protection standards, it is by no means an exhaustive analysis and doesn’t cover the full extent of the global legislative landscape, which is constantly changing. Organizations are best advised to consult data privacy legal experts to be prepared to notify individuals according to these various standards.
Related post: Personal Information & Data Privacy in Canada: PIPEDA 101
In Canada, the main applicable law is the Personal Information Protection and Electronic Documents Act (PIPEDA or the PIPED Act), as modified by the Digital Privacy Act, some of which came into force on June 18, 2015. The law applies to all organizations “except organizations that collect, use or disclose personal information entirely in Alberta, British Columbian or Quebec, (or Ontario, New Brunswick and Newfoundland and Labrador in respect of personal health information collected, used or disclosed by health information custodians; PIPEDA otherwise covers commercial activities in these provinces)”.
The Digital Privacy Act states that an organization shall report to the Privacy Commissioner and the individuals concerned “any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual” (S. 10(1) and (3)).
The concept of ‘significant harm’ is defined as including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property” (S. 10(7)).
The expression ‘real risks’ is evaluated by taking into consideration the sensitivity of the personal information involved in the breach and the probability that the personal information has been, is being or will be misused (S. 10(8)). The notifications shall be done “as soon as feasible after the organization determines that the breach has occurred” (S. 10(2) and (6)).
The legislation further states that organizations must notify third parties, such as other businesses, if this could help to reduce or mitigate its damages. In such cases, organizations are allowed to disclose personal information without consent (in the circumstances of s. 10.2(3), (4)). The disposition is seemingly broad enough to include notification to law enforcement authorities, whenever it could help to reduce or mitigate damages. Another example would be notifying credit cards’ issuing banks.
Organizations are also required to keep a record of every breach of security safeguards involving personal information under its control and provide, on request, access to the Commissioner. This obligation involves any security safeguards, whether or not it is related to a data breach.
The Commissioner may make public any information that comes to his knowledge in the performance or exercise of his duties or powers under the Act if he deems that it is in the public interest. This includes any reports of data breaches received under the new provisions.
Any organization that fails to report to the Office of the Privacy Commissioner of Canada (OPC) or fails to notify individuals of a breach that poses a real risk of significant harm, or knowingly fails to maintain a record of all breaches could face fines of up to $100,000 (CAD).
The provisions regarding breach reporting, notification and record keeping have yet to enter into force, that is when “related regulations outlining specific requirements are developed and in place”.
Such regulations are likely to specify the timing, form, manner, and level of information required in the notice of breach.
At the moment, the law only provides that the notification must contain “sufficient information” to allow an individual to understand the significance of the breach and to take steps to mitigate or reduce any resulting harm (section 10.1(4)).
Nonetheless, the Guidelines for Privacy Breaches of the Canadian Government require that federal agencies include the following in their notification of individuals:
The notification should be sent directly to individuals either by letter (first class recommended), by telephone or in person unless practical reasons command otherwise (e.g. the number of individuals is too large).
These Guidelines further recommend that individuals be noticed of developments as the matter is further investigated and outstanding issues are resolved.
For most organizations, and until the entry into force of the new dispositions from the Digital Privacy Act, breach reporting remains voluntary in principle.
Only the province of Alberta currently has provisions regarding mandatory breach notifications. In the province of Quebec, the applicable legislation does not, at the moment, have any provisions for mandatory data breach notification, notwithstanding a recommendation to this effect by the Commission d’accès à l’information.
Note that some sectors, mostly health and finance, have specific applicable legislation. The Ontario’s Personal Health Information Protection Act of 2004 specifies that the health information custodian must be notified “at the first reasonable opportunity” each time that any health information provided “is stolen or lost or if it is collected, used or disclosed without authority” (art. 11).
The notification provision is even more stringent with regards to the circumstances under which the OPC must be notified:
(15) It shall notify the Commissioner, in writing, immediately after becoming aware that personal health information that is accessible by means of the electronic health record,
Related post: GDPR: Frequently Asked Questions
In the European Union (EU), the General Data Protection Regulation (GDPR), set to replace Directive 95/26/EC, came into effect on May 25, 2018. The new legislation has wide-reaching implications as it applies to all controlling and processing activity in the EU, but also to data controllers and processors located outside of the EU that are offering goods and services in the EU and who monitor individual’s behavior. It also directly applies to each member state to lead to a better degree of harmonization compared to Directive 95/26/EC.
Article 4 of the GDPR imposes stringent mandatory breach notifications to natural or legal persons, public authorities, agencies and other bodies. A data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, authorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed”. The notion of personal data is also extended to include a person’s name, location data, an online identifier, and genetic data meaning all IP addresses, mobile IDs and such.
The GDPR will require data breach notification to the responsible national supervisory authorities without undue delay, that is not later than 72 hours after awareness of the incident.
The notification to individuals is also done without undue delay if the risk is high that the breach affects the rights and freedoms of natural persons (e.g. the right to privacy).
Notification is not necessary when data are unintelligible to any person who is not authorized to access it or if the organization has taken subsequent measures to ensure that a substantial risk is not likely to materialize. If breach notification involves a disproportionate effort, a public communication can be used instead. The content of the notification is similar to what has been discussed above in the American and Canadian context.
Lastly, the GDRP imposes an obligation to document any personal data breach. Fines for non-compliance to these dispositions can be as high as 2-4% or up to €10-20 million of the company’s worldwide annual revenue of the prior fiscal year.
Until the entry into the GDPR, the European telecommunications sector is the only one with mandatory data breaches notification as required by the e-Privacy directive. Note that these provisions should also be extended by the Network and Information Security Directive (NIS Directive).
In the United States, organizations may have to conform to as many as 47 different data breach notification statutes.
While most legislations share common denominators, they may differ with regards to the timing and content of the consumer notice.
Some States require government notification and evaluate breach based on harm threshold, while others simply don’t.
For instance, corporations operating in Washington must send their notice at the “most expedient time possible, without unreasonable delay, no more than 45 days”, whereas Texas equivalent simply require that the notice be sent “as quickly as possible”, both subject to the scope of the breach and the time required to restore the reasonable integrity of the system.
There is no requirement of content in Texas as opposed to Washington where the notice “must be written in plain language and include, at a minimum, the following:
Note that OMB Memorandum M-07-16 (“Safeguards against and responding to the breach of personally identifiable information”) imposes breach notification procedures for federal agencies.
Attachment 3 of this Memorandum, titled “External Breach Notification”, identifies the factors that should be considered to determine whether a notification outside the agency should be given and the nature of such notification.
The principle is that the likely risk of harm and the level of impact will determine when, what, how and to whom notification should be given.
The factors are similar to those discussed under the Canadian jurisdiction: nature of the data elements breached, number of individuals affected and likelihood that the information is accessible and usable.
A notification may not be necessary for encrypted information and should be sent without unreasonable delay, unless delayed for law enforcement, national security purposes or agency needs.
An increasing number of jurisdictions are currently in the process of modifying their legislation to include mandatory data breach notification.
In Australia, the federal government has published a notification scheme in November 2017.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 is among a list of new legislation to be discussed in this new session of parliament. The exposure draft states that the victim organization must notify customers, the Privacy Commissioner and potentially the media if the breach is serious. The proposed legislation defines “serious breach” and identifies the steps an organization has to take to address it.
It would be enforced by the Privacy Commissioner, which could chase civil penalties for non-compliances (up to $1.8 million for businesses).
Countries and states that don’t have mandatory data breach notification are currently being pressured to adhere to new international norms in order to maintain global partnerships and strengthen national cybersecurity, for example, the Bahamas.
Overall, the approaches vary considerably with countries imposing strict delay (e.g. Costa Rica’s Law No. 8968, Protection of the Person Concerning the Treatment of Personal Data, imposes a notification within five working days) and others using broad statement (e.g. “without undue delay” or “in a reasonable delay”).
This international legal framework certainly adds to the burden of organizations and complicates IRP.
Depending on where your organization operates, it may be subject to a variety of different jurisdictions – each with its respective standards and guidelines for data breach notification following a security incident.
In closing, it is important to mention that although your business may be located in only one country, it may be subject to data protection legislations in more than one country if it offers its products and services internationally or collects data from international audiences. If you’re unsure about which legislations apply to your specific situation, be sure to consult a data protection/ data privacy expert. You may be subject to more legislations than you think.
Now that we’ve learned about some of the different jurisdictions with regards to data breach notification, how can businesses improve their incident response planning skills over time? What lessons can be learned from incidents? And how should the ‘lessons learned’ process look like?
Stay tuned for our final part of our 5-part blog series about Incident Response Planning in next week’s article.
This blog post was first published in April 2018, and has been updated in May 2018.
