As part of our 5-part series about Incident Response Planning (IRP), this article dives deeper…
Incident Response Planning in a Nutshell (Part 4/5)
According to the Cyber Incident Management Planning Guide published by the IIROC, “companies have an obligation to be aware of the breach notifications in each jurisdiction in which they operate, and to have internal policies consistent with applicable law”.
Depending on where your organization operates and how it monitors individuals’ behavior, you may be subject to a variety of different jurisdictions and data breach notification standards, including:
- PIPEDA and the Digital Privacy Act in Canada,
- GDPR in the European Union,
- 47 different data breach notification statutes in the United States, and
- A variety of other data protection legislation across the world.
Each jurisdiction imposes data protection standards with regards to when and how organizations should or must disclose data breaches. This allows individuals whose personal information has been compromised to take remedial steps to avoid potential adverse consequences, such as financial losses or identity theft.
International Perspective on Data Breach Laws
Disclaimer: This article does not constitute legal advice. While it focuses on a selection of today’s common data protection standards, it is by no means an exhaustive analysis and doesn’t cover the full extent of the global legislative landscape, which is constantly changing. Organizations are best advised to consult data privacy legal experts to be prepared to notify individuals according to these various standards.
In Canada, the main applicable law is the Personal Information Protection and Electronic Documents Act (PIPEDA or the PIPED Act), as modified by the Digital Privacy Act, some of which came into force on June 18, 2015. The law applies to all organizations “except organizations that collect, use or disclose personal information entirely in Alberta, British Columbian or Quebec, (or Ontario, New Brunswick and Newfoundland and Labrador in respect of personal health information collected, used or disclosed by health information custodians; PIPEDA otherwise covers commercial activities in these provinces)”.
Digital Privacy Act
The Digital Privacy Act states that an organization shall report to the Privacy Commissioner and the individuals concerned “any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual” (S. 10(1) and (3)).
The Concept of Significant Harm
The concept of ‘significant harm’ is defined as including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property” (S. 10(7)).
The expression ‘real risks’ is evaluated by taking into consideration the sensitivity of the personal information involved in the breach and the probability that the personal information has been, is being or will be misused (S. 10(8)). The notifications shall be done “as soon as feasible after the organization determines that the breach has occurred” (S. 10(2) and (6)).
Third Party Notification
The legislation further states that organizations must notify third parties, such as other businesses, if this could help to reduce or mitigate its damages. In such cases, organizations are allowed to disclose personal information without consent (in the circumstances of s. 10.2(3), (4)). The disposition is seemingly broad enough to include notification to law enforcement authorities, whenever it could help to reduce or mitigate damages. Another example would be notifying credit cards’ issuing banks.
Data Breach Records and Reports
Organizations are also required to keep a record of every breach of security safeguards involving personal information under its control and provide, on request, access to the Commissioner. This obligation involves any security safeguards, whether or not it is related to a data breach.
The Commissioner may make public any information that comes to his knowledge in the performance or exercise of his duties or powers under the Act if he deems that it is in the public interest. This includes any reports of data breaches received under the new provisions.
Any organization that fails to report to the Office of the Privacy Commissioner of Canada (OPC) or fails to notify individuals of a breach that poses a real risk of significant harm, or knowingly fails to maintain a record of all breaches could face fines of up to $100,000 (CAD).
The provisions regarding breach reporting, notification and record keeping have yet to enter into force, that is when “related regulations outlining specific requirements are developed and in place”.
Such regulations are likely to specify the timing, form, manner, and level of information required in the notice of breach.
At the moment, the law only provides that the notification must contain “sufficient information” to allow an individual to understand the significance of the breach and to take steps to mitigate or reduce any resulting harm (section 10.1(4)).
Data Breach Notification Guidelines
Nonetheless, the Guidelines for Privacy Breaches of the Canadian Government require that federal agencies include the following in their notification of individuals:
- A general description of the incident, including date and time;
- The source of the breach (an institution, a contracted party, or a party to a sharing agreement);
- A list of the personal information that has been or may have been compromised;
- A description of the measures taken or to be taken to retrieve to retrieve the personal information, contain the breach and prevent reoccurrence;
- Advice to the individual to mitigate risks of identity theft or to deal with compromised personal information (e.g. Social Insurance Number);
- The name and contact information of an official at the institution with whom individuals can discuss the matter further or obtain assistance; and
- A reference to the effect that the OPC has been notified of the nature of the breach and that the individual has a right to make a complaint to that office, when applicable.
The notification should be sent directly to individuals either by letter (first class recommended), by telephone or in person unless practical reasons command otherwise (e.g. the number of individuals is too large).
These Guidelines further recommend that individuals be noticed of developments as the matter is further investigated and outstanding issues are resolved.
For most organizations, and until the entry into force of the new dispositions from the Digital Privacy Act, breach reporting remains voluntary in principle.
Only the province of Alberta currently has provisions regarding mandatory breach notifications. In the province of Quebec, the applicable legislation does not, at the moment, have any provisions for mandatory data breach notification, notwithstanding a recommendation to this effect by the Commission d’accès à l’information.
Note that some sectors, mostly health and finance, have specific applicable legislation. The Ontario’s Personal Health Information Protection Act of 2004 specifies that the health information custodian must be notified “at the first reasonable opportunity” each time that any health information provided “is stolen or lost or if it is collected, used or disclosed without authority” (art. 11).
The notification provision is even more stringent with regards to the circumstances under which the OPC must be notified:
(15) It shall notify the Commissioner, in writing, immediately after becoming aware that personal health information that is accessible by means of the electronic health record,
- has been viewed, handled or otherwise dealt with by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations, or
- has been made available or released by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations.
The European Union
Related post: GDPR: Frequently Asked Questions
In the European Union (EU), the General Data Protection Regulation (GDPR), set to replace Directive 95/26/EC, came into effect on May 25, 2018. The new legislation has wide-reaching implications as it applies to all controlling and processing activity in the EU, but also to data controllers and processors located outside of the EU that are offering goods and services in the EU and who monitor individual’s behavior. It also directly applies to each member state to lead to a better degree of harmonization compared to Directive 95/26/EC.
Mandatory Data Breach Notification
Article 4 of the GDPR imposes stringent mandatory breach notifications to natural or legal persons, public authorities, agencies and other bodies. A data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, authorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed”. The notion of personal data is also extended to include a person’s name, location data, an online identifier, and genetic data meaning all IP addresses, mobile IDs and such.
The GDPR will require data breach notification to the responsible national supervisory authorities without undue delay, that is not later than 72 hours after awareness of the incident.
The notification to individuals is also done without undue delay if the risk is high that the breach affects the rights and freedoms of natural persons (e.g. the right to privacy).
Notification is not necessary when data are unintelligible to any person who is not authorized to access it or if the organization has taken subsequent measures to ensure that a substantial risk is not likely to materialize. If breach notification involves a disproportionate effort, a public communication can be used instead. The content of the notification is similar to what has been discussed above in the American and Canadian context.
Documenting the Data Breach
Lastly, the GDRP imposes an obligation to document any personal data breach. Fines for non-compliance to these dispositions can be as high as 2-4% or up to €10-20 million of the company’s worldwide annual revenue of the prior fiscal year.
Until the entry into the GDPR, the European telecommunications sector is the only one with mandatory data breaches notification as required by the e-Privacy directive. Note that these provisions should also be extended by the Network and Information Security Directive (NIS Directive).
The United States
In the United States, organizations may have to conform to as many as 47 different data breach notification statutes.
While most legislations share common denominators, they may differ with regards to the timing and content of the consumer notice.
Some States require government notification and evaluate breach based on harm threshold, while others simply don’t.
For instance, corporations operating in Washington must send their notice at the “most expedient time possible, without unreasonable delay, no more than 45 days”, whereas Texas equivalent simply require that the notice be sent “as quickly as possible”, both subject to the scope of the breach and the time required to restore the reasonable integrity of the system.
There is no requirement of content in Texas as opposed to Washington where the notice “must be written in plain language and include, at a minimum, the following:
- the name and contact info of the covered entity
- a list of the type of covered information that was or reasonably believed to have been affected
- the toll-free phone numbers and addresses of the major credit reporting agencies if the breach exposed personal information” (Davis Wright Tremaine LLP).
Figure 1: Summary of U.S. State Data Breach Notification Statutes, by Government/CRA Notice (Source: Davis Wright Tremaine LLP)
Breach Notification Procedures for Federal Agencies
Note that OMB Memorandum M-07-16 (“Safeguards against and responding to the breach of personally identifiable information”) imposes breach notification procedures for federal agencies.
Attachment 3 of this Memorandum, titled “External Breach Notification”, identifies the factors that should be considered to determine whether a notification outside the agency should be given and the nature of such notification.
The principle is that the likely risk of harm and the level of impact will determine when, what, how and to whom notification should be given.
The factors are similar to those discussed under the Canadian jurisdiction: nature of the data elements breached, number of individuals affected and likelihood that the information is accessible and usable.
A notification may not be necessary for encrypted information and should be sent without unreasonable delay, unless delayed for law enforcement, national security purposes or agency needs.
An increasing number of jurisdictions are currently in the process of modifying their legislation to include mandatory data breach notification.
In Australia, the federal government has published a notification scheme in November 2017.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 is among a list of new legislation to be discussed in this new session of parliament. The exposure draft states that the victim organization must notify customers, the Privacy Commissioner and potentially the media if the breach is serious. The proposed legislation defines “serious breach” and identifies the steps an organization has to take to address it.
It would be enforced by the Privacy Commissioner, which could chase civil penalties for non-compliances (up to $1.8 million for businesses).
Countries with No Data Breach Notification Laws
Countries and states that don’t have mandatory data breach notification are currently being pressured to adhere to new international norms in order to maintain global partnerships and strengthen national cybersecurity, for example, the Bahamas.
Overall, the approaches vary considerably with countries imposing strict delay (e.g. Costa Rica’s Law No. 8968, Protection of the Person Concerning the Treatment of Personal Data, imposes a notification within five working days) and others using broad statement (e.g. “without undue delay” or “in a reasonable delay”).
This international legal framework certainly adds to the burden of organizations and complicates IRP.
In a Nutshell
Depending on where your organization operates, it may be subject to a variety of different jurisdictions – each with its respective standards and guidelines for data breach notification following a security incident.
- If your business operates in Canada, you are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) or similar provincial data privacy legislation in Quebec, British Columbia and Alberta. PIPEDA lists 10 privacy principles for the Canadian privacy sector, including accountability, consent and the limiting use, disclosure and detention of data.
- If your business operates in the European Union, you are subject to the GDPR since May 25, 2018. The GDPR will be applicable in all EU member states, thus harmonizing data protection laws in the EU, and includes strict data breach notification requirements as well as heavy fines for noncompliance. It applies to all organizations located in the EU and organization non-EU organizations offering goods and services to, and/or monitoring the behavior of, individuals in the EU.
- If your business operates in the United States, your data breach notification requirements will depend on the U.S. State in which you operate in. Overall, there are 47 different data protection legislations across the United States, all of which share common denominators but differ slightly in certain aspects such as notification delays and content.
In closing, it is important to mention that although your business may be located in only one country, it may be subject to data protection legislations in more than one country if it offers its products and services internationally or collects data from international audiences. If you’re unsure about which legislations apply to your specific situation, be sure to consult a data protection/ data privacy expert. You may be subject to more legislations than you think.
Now that we’ve learned about some of the different jurisdictions with regards to data breach notification, how can businesses improve their incident response planning skills over time? What lessons can be learned from incidents? And how should the ‘lessons learned’ process look like?
Stay tuned for our final part of our 5-part blog series about Incident Response Planning in next week’s article.
To learn more about how your organization can comply with data protection legislation such as GDPR, check out our free on-demand webinar “GDPR – Focusing on 4 Key Steps to Compliance”.
This blog post was first published in April 2018, and has been updated in May 2018.