Evan Norris, David M Stuart and Richard J Stark, Cravath, Swaine & Moore LLP
This is an extract from the second edition of The Guide to Cyber Investigations. The whole publication is available here.
With the growing awareness of the vast amounts of personal data residing in the cloud, and the sophistication of those who wish to access it, comes an increasingly complex multinational regime of data protection laws with which global organisations must contend. While these laws share many common features, the sheer number of them – and the differences in definitions, standards and exceptions between them – presents a challenge when a data breach occurs. Perhaps most notably, the victim of the breach must adhere to regulatory deadlines in an environment of factual uncertainty that characterises the initial days following a breach. Where a significant number of individuals are affected, achieving regulatory compliance is an ever-increasing challenge for any organisation that does business across borders.
As discussed elsewhere in this Guide, one aspect of a breach investigation for an organisation is to assess early whether the breach raises notification obligations and, if so, in what jurisdictions. While a well-drawn incident response plan will have provided a head start on that assessment, one early aim of the investigation will be to complete the assessment by a careful review of the facts of the breach. In this chapter we provide an overview of the factors that bear on that assessment, as well as some considerations regarding the provision of notification itself. We then provide some observations about the broader data security compliance and enforcement landscape more generally, as we look to a future in which large-scale, cross-border breaches become increasingly commonplace and more and more data regulators and law enforcement authorities have the budgets and experience to address them.
Determining whether and in what jurisdictions a data breach gives rise to notification obligations
Data breach notification laws across the globe reflect a mix of rules, standards and approaches. In the European Union, the General Data Protection Regulation (GDPR) imposes breach notification obligations that apply broadly to all data controllers and processors, while France and other individual EU Member States maintain additional notification laws that apply more narrowly to specific industry sectors. In the United States, each of the 50 states (as well as most districts and territories) has its own breach notification law, while a number of federal laws (and even some more state laws) regulating different industry sectors also contain breach notification rules for reporting incidents involving medical, financial and other types of data. In total, such rules have been adopted in approximately 130 countries, including jurisdictions throughout Asia, the Middle East, Africa, Latin America and other regions.
These laws differ in myriad ways, including in the scope of their application, how they define a breach, the level of harm that triggers notification requirements, what exceptions may apply, who is notified, who does the notifying and what regulatory penalties may be imposed for noncompliance. In the context of a cross-border data breach, the challenge this variability poses for organisations is particularly significant.
Identification of applicable laws
Data protection laws may apply based on different factors, such as the organisation's method of data collection, the industry in which the organisation operates and the residence of affected individuals.
In the United States, while there is no comprehensive data protection regime at the federal level, a handful of federal laws regulating various industries, including telecommunications, financial services and healthcare, include breach notification provisions that apply primarily based on the type of personal data a regulated entity may collect. For instance, the Gramm-Leach-Bliley Act imposes breach notification obligations on financial institutions, including federally chartered US banks and federal branches and agencies of foreign banks, with respect to non-public customer personal information. Such laws also exist at the state level. In New York State, for example, the Department of Financial Services enforces a cybersecurity regulation notification requirement that applies to financial service companies, including insurance companies and both domestic and non-US banks operating within the state, with respect to material business information and some personally identifying individual data. In some instances, compliance with industry specific notification requirements in a federal statute will exempt an organisation from compliance with the requirements of a state's general breach notification law. Outside the industry specific context, US states have consumer-oriented breach laws that typically apply broadly to organisations whenever a security incident involves data belonging to that state's residents. California's breach notification law, for instance, imposes obligations on any person or entity that conducts business in California and holds computerised personal information belonging to California residents. In other words, depending on the type of data compromised in a breach, an organisation may have notification obligations under any number of US federal and state laws.
While many countries' breach laws are similar in scope to US laws, some apply regardless of industry sector and residence of affected individuals. The GDPR's data protection and breach regulations apply to data controllers and processors that maintain an establishment in the EU or conduct processing activities, wherever conducted, that are related to offering goods or services to data subjects in the EU or to monitoring those subjects' behaviour in the EU. The post-Brexit data privacy laws in the UK – the Data Privacy Act of 2018 and the UK GDPR – are effectively identical in substance to the GDPR with respect to the obligations imposed on controllers and processors. And the data privacy laws of several other countries also mirror the GDPR, including, notably, Brazil's data protection regime, the LGPD, which went into effect in August 2020.
Definition of 'personal information'
Many breach notification laws limit the definition of 'personal information' (or some analogous term) to an enumerated list of data characteristics that are considered sensitive. For example, many US state breach laws narrowly define personal information as an individual's first name (or first initial) and last name combined with any other data elements, such as a social security or driver's licence number. California is among other states that apply a somewhat broader definition that covers 'any information that identifies, relates to, describes, or is capable of being associated with, a particular individual', including identifiers such as name, signature, address, employment, social security number, bank account number, and credit or debit card number. And to take a US federal example, the Communications Act of 1934 protects 'customer proprietary network information', defined as information relating to the 'quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier'.
By contrast, some breach notification laws adopt far more expansive definitions of personal information that cover any information relating to natural persons. For instance, the GDPR broadly defines 'personal data' as 'any information relating to an identified or identifiable natural person'. Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) provides that 'personal information means information about an identifiable individual'. Such general definitions could extend to almost any information relating to an individual, whether alone or combined with other data elements possessed by an organisation.
Definition of 'data breach'
Across jurisdictions, the definitional elements of a 'data breach' often include one or more of the use, disclosure, acquisition of, or access to data through illegal or unauthorised means.
Many US states define a data breach as the unauthorised or illegal acquisition of personal information. In contrast, some jurisdictions consider unauthorised access, alone or in combination with another activity or a certain result, sufficient to constitute a breach. Under Singapore's data privacy statute, for example, a data breach broadly includes any 'unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data', regardless of whether any harm or risk of harm was caused by the breach. A few US states also define a breach as simply unauthorised access to personal information, whereas others require that the unauthorised access compromises the security, confidentiality or integrity of protected personal information.
Some jurisdictions incorporate a risk standard into the definition of a data breach. For instance, Australia's mandatory Notifiable Data Breach Scheme defines an 'eligible data breach', in relevant part, as (1) any 'unauthorised access to, or unauthorised disclosure of, the information' or (2) 'information [that] is lost in circumstances where' unauthorised access or disclosure 'is likely to occur', both of which 'would be likely to result in serious harm to any of the individuals to whom the information relates'.
As security incidents increase in sophistication, the definition of a data breach continues to evolve to include wide-ranging activities in addition to acquisition, access, use or disclosure. This evolution is noticeable in the GDPR's definition of a data breach as any 'accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'.
Exceptions and exemptions
Once an organisation determines that a breach of protected personal information has likely occurred, it must evaluate whether any exceptions or exemptions apply that could obviate the need to make a breach notification.
Some breach notification laws carve out safe harbours for personal information or data that is encrypted (or substantially redacted) at the time of a breach. While the GDPR does not have an encryption exception, it treats 'state of the art' encryption as a data protection measure that reduces risk to individuals' rights and freedoms, which could potentially excuse an organisation's duty to notify affected individuals. Several US state breach laws, in contrast, explicitly distinguish between encrypted and unencrypted information when defining a data breach of personal information. Some states completely exempt organisations from giving notice to affected individuals so long as the encryption was not compromised in the security incident. In other states, encrypted data elements may be excluded from the legal definition of personal information or data, and the security incident that impacts encrypted data elements may be excluded from the legal definition of a data breach.
Good faith exemption
Notably, some breach notification laws exempt from the definition of a breach certain good faith access or acquisition of personal information by a company employee or agent. For instance, under the US Health Insurance Portability and Accountability Act (HIPAA), a data breach does not include 'any unintentional acquisition, access, or use of protected information' by employees of covered healthcare entities if 'made in good faith and within the scope of authority and does not result in further use or disclosure'. Several US states, such as California and Virginia, also recognise a good faith exemption if an employee or agent acquires personal information for a legitimate business purpose and does not make further unauthorised disclosure of the personal information. No similar exemption exists under the GDPR. Brazil also does not recognise a good faith exemption, but 'good faith of the offender' will be taken into consideration to determine appropriate administrative sanctions for data processors that violate the country's data protection law.
Harm thresholds as notice triggers
Several jurisdictions have adopted data breach notification laws that utilise harm thresholds as notice triggers, whereby organisations need only give notice if harm occurred or there is a potential of harm or risk to the individuals whose personal information is breached. Notification laws in several US states enumerate the various types of harm that could trigger mandatory notification requirements, including misuse of personal information, identity theft, fraud or other illegal use of personal information and substantial economic loss or financial harm.
More than half of the US states adhere to harm thresholds in their breach notification laws, but there is variance among the statutes with respect to the risk a breach must present to the resident consumers of those states (the typical group entitled to notice) to require notification. For example, Virginia's breach notification statute requires notification to the state Attorney General and any affected individual if there is a reasonable belief that the breach 'has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth'. Florida, on the other hand, does not require notice to individuals if, after appropriate investigation and consultation with federal, state and local law enforcement, the organisation determines that the breach 'will not likely result in identity theft or any other financial harm'. Florida also does not require notification to its data regulator if fewer than 500 Florida residents are impacted by a breach.
Harm thresholds are also used outside the United States. Under Canada's data privacy law, for example, notification to individuals and the regulator is required only where the breach creates 'a real risk of significant harm to an individual'. Mexico's data privacy law requires that the breach 'significantly prejudice the property or nonpecuniary rights of the data subjects' to require notification to individuals. And the GDPR requires notification to the relevant supervisory authority if the breach presents a 'risk to the rights and freedoms of natural persons' and to individuals if the breach presents a 'high risk' to the same. These differences in statutory definitions of the harm threshold may result in a determination, for instance, that a data breach occurred that was likely to result in a 'risk to the rights and freedoms' of EU citizens but did not pose a 'real risk of significant harm' to Canadian citizens, thus requiring notification under the GDPR but not under Canada's law.
Some jurisdictions do not impose any harm thresholds either for defining a breach or setting forth the circumstances in which notification is required. For example, South Korea's data privacy law applies no harm threshold to the notification requirement. Similarly, California's breach notification law imposes no harm threshold; rather, an organisation must notify affected California residents of any breach where 'unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorised person'. Under these standards, actual or potential harm to individuals is not considered with respect to whether an organisation must notify individuals of a breach.
If the relevant threshold triggering a mandatory notice requirement is not met, then any notification to individuals or regulators by the impacted organisation would be voluntary. Regulators in some jurisdictions encourage such voluntary notification by organisations, even if the breach does not rise to the threshold that would require mandatory notification. Argentina, for example, has no mandatory breach reporting requirements but encourages organisations to have a plan to manage breach incidents and requires that they maintain a record of data breaches that may be given to the regulatory authority upon request.
Considerations regarding the provision of notice
Once an organisation determines that notification is required or prudent, several considerations arise as to the provision of notice itself, most of which can be addressed in advance in a global breach response plan. Again, the variation between different notification regimes is significant and must be carefully considered to ensure an efficient and coordinated approach.
Who provides the notice
Under the multinational data privacy regime, only certain entities are required to provide notification in connection with a data breach. Some statutes, such as HIPAA, the US federal health law, require only that organisations operating within a specific industry sector provide notice of a breach. Other laws, however, require notification more broadly for all organisations that control or process individuals' personal data.
Several of the comprehensive data protection laws currently in effect require that all controllers of personal data notify individuals and regulators of a data breach. Although controllers of personal data are required to provide notice to individuals and regulators (or face penalties), the controller may not always be the entity that discovers a breach. The processors of data may be more likely to find evidence of a breach as they perform their work with the data, and for that reason a number of notification regimes require processors to notify the controller if they discover a breach. For example, the GDPR requires that the processor notify the controller 'without undue delay' after the processor becomes aware of a breach. Virginia's breach notification law also requires that those entities that maintain data that they do not own or license (i.e., processors) must report a data breach to the owner or licensee of the data (i.e., controllers) 'without unreasonable delay' after discovery of the breach. These notification requirements for processors ensure that controllers will be able to timely meet their own notification obligations.
Timing of notice
Many data privacy statutes require notification quickly after the organisation has discovered the breach and the scope of its impact. California's data breach notification statute, for example, requires that notification be made to individuals 'in the most expedient time possible and without unreasonable delay' following discovery or notice of the breach. Notification may be reasonably delayed under California's statute to allow the organisation time to assess the scope of the breach or to prevent any interference with an ongoing criminal investigation. Several other states, including Virginia, New York and Massachusetts, require notice to data subjects without 'undue' or 'unreasonable' delay. The same standard is seen in data privacy laws in other jurisdictions, such as the EU, which also requires notice to data subjects 'without undue delay'.
The specific requirements vary in some statutes for notification to regulators as opposed to individuals. Some statutes may not require notification to a regulator at all unless a certain number of data subjects have been affected. California's statute, for instance, requires that there be at least 500 affected California residents before requiring that notification be made to the state attorney general. In other jurisdictions, the notice requirement for regulators is not tied to any number of affected individuals. For example, India's data protection law broadly requires organisations to 'report the cybersecurity incidents to [the regulator] within a reasonable time of occurrence' of the breach. There is also variability in the time period to provide notice to regulators and data subjects. The GDPR, for example, specifies that notification must be made to the national supervisory authority (or lead supervisory authority in the case of cross-border breaches) 'not later than 72 hours after having become aware of' the data breach; if the supervisory authority is not notified within that window, the organisation must provide reasons for the delay. This differs from notification to data subjects under the GDPR, which must be made 'without undue delay' but without reference to a specific time period.
Organisations impacted by a breach thus must assess differing notice timing requirements for regulators and data subjects both within a particular statute and across multiple jurisdictions.
Form and content of notice
Statutory requirements also vary with respect to the form and content of the data breach notice. The GDPR, for example, requires that the notice to the regulatory authority:
- describe the nature of the breach;
- provide the name and contact details of the company's data protection officer;
- describe the likely consequences of the breach; and
- describe the measures taken or proposed to be taken by the controller to address the breach.
Other statutes are even more prescriptive with respect to the required form and content of the notice. California's breach notification statute, for instance, requires that the notice to individuals use a certain title ('Notice of Data Breach') and headings ('What Happened?'; 'What Information Was Involved?'; 'What We Are Doing'; 'What You Can Do'), that the title and headings be clearly and conspicuously displayed, and even that the text of the notice use no smaller than 10-point font. The California statute also provides a model breach notification form that companies may use as a template for their notice, and the use of which ensures compliance with the statutory requirements.
In addition to complying with regulatory requirements in the aftermath of a breach, organisations face the communications challenge of conveying an appropriate public message. Media outlets will quickly discover and report on any large-scale data breach – often triggered by a notification submitted to a data regulator or a public company's securities disclosure (see above). In turn, an organisation's management and directors frequently face pressure to release public statements to the media addressing the breach and any remedial steps taken. There are many facets of the communications strategy that are beyond the scope of this chapter, but from a regulatory standpoint what is critical is including in an organisation's incident response plan – and then following in the event of a breach – a tight internal coordination mechanism involving the legal and relevant global business functions to enable a measured, consistent approach to all public statements.
Data security compliance and enforcement observations
Separate and apart from the issue of notification, organisations that have experienced a data breach face a range of other potential regulatory challenges. For instance, all organisations must prepare to respond to regulatory inquiries with the potential to lead to an enforcement response, whether tied to an underlying security failure, the adequacy of the notification or some other issue. And public companies have the added challenge of evaluating whether the breach is material to their financial performance or operations and thus may be required to be disclosed to investors. As regulators across the globe gain in enforcement experience and begin to coordinate law enforcement activity with one another, organisations must increasingly be prepared to navigate the added complexities posed by these challenges when they arise in the context of multi-jurisdictional investigations of cross-border data breaches.
Many data protection laws contain provisions requiring organisations to maintain the security measures necessary to protect individuals' personal information from unauthorised access. For example, the GDPR requires that companies take 'appropriate technical and organisational measures' to ensure that data is securely stored and processed. The California Consumer Privacy Act (CCPA) requires that organisations 'implement and maintain reasonable security procedures and practices' to protect California individuals' personal data. And Mexico's data protection law requires that all data controllers and certain processors 'establish and maintain administrative, physical, and if applicable technical, security measures' to protect personal data. These and other similar laws establish standards that data protection authorities and other enforcement agencies are increasingly using to hold organisations accountable if a data breach occurs that, in the view of regulators, should have been prevented or mitigated.
The GDPR permits regulators to pursue fines for data security violations equal to the higher of €20,000,000 or 4 per cent of an organisation's annual worldwide turnover. In Brazil, the LGPD will permit regulators to pursue half that amount once the administrative sanction provision comes into force in August 2021. California takes a different approach and permits the state attorney general to seek civil penalties (calculated with respect to each affected consumer) of up to US$7,500 per intentional violation and US$2,500 per unintentional violation, with no maximum amount. In the context of cross-border data breaches, the total amount of regulatory fines that could be imposed on an organisation by multiple enforcement authorities – and the potential for duplicative penalties given different approaches to conceptualising the fine amount and different definitions of data subjects and consumers – are both significant.
Public company disclosures
Public companies impacted by a breach face additional regulatory requirements. For instance, in the United States, the Securities and Exchange Commission (SEC) has issued interpretative guidance requiring public companies to disclose material cybersecurity incidents, including data breaches, in their public filings. Even a non-material breach may give rise to a disclosure obligation where investors should be informed of potential risks the company faces. And in the European Union, the Market Abuse Regulation (MAR) requires EU-listed companies to disclose 'inside information', which potentially includes data breaches and other types of cybersecurity incidents, that directly affect their operations and the price of financial instruments. Public companies thus must carefully determine both whether notification and disclosure of data breaches is required, as well as the potential impact one determination may have on the other. As the SEC's 2018 settlement with Yahoo makes clear, the issue of disclosure to investors can lead to significant enforcement consequences.
The future of enforcement
Many data protection authorities around the world are still in the early phases of enforcing data protection laws and managing their budgetary constraints, and organisations will be monitoring enforcement trends closely. For instance, organisations will be watching for signs of the emerging enforcement priorities of Brazil's data protection authority once the LGPD's administrative sanctions go into effect in August 2021, and the impact of the California Privacy Rights Act, the successor to the CCPA that will divide enforcement between the California AG and a newly created data regulator when it goes into effect in January 2023, on the overall US enforcement landscape.
Organisations will also be closely watching for trends toward coordinated resolutions of enforcement actions among data protection authorities from different countries. We have seen such coordination among US federal and state regulators, and within the EU, following cross-border data breaches. But while there have been examples of enforcement actions announced by multiple countries at different times in connection with cross-border data breaches (e.g., Equifax, Yahoo and Starwood/Marriott), it remains to be seen if and when regulators from different countries may begin to announce coordinated resolutions of the type we have come to see in corporate criminal investigations. In the meantime, we anticipate debate about whether the merits of such an approach, such as encouraging cooperation among enforcement agencies and avoiding duplicative penalties for organisations, apply in the data breach context.
Today's complex regulatory environment presents great challenges for global organisations contending with a data breach of any magnitude. Compliance with the multitude of international breach notification laws requires an understanding of what facts may trigger statutorily mandated notice obligations and how and to whom that notice must be communicated. Even when breach notification obligations are satisfied, organisations still must be prepared to handle other regulatory challenges as well, including inquiries into security vulnerabilities that may have contributed to the breach. As more countries enact comprehensive data protection laws and cross-border data breach enforcement picks up, organisations that have breach response procedures that are carefully prepared and reflect a nuanced, global perspective will be best positioned to handle a major incident.
Subscribe here for related content, breaking news and market analysis from Global Investigations Review.
Global Investigations Review provides exclusive news and analysis and other thought-provoking content for those who specialise in investigating and resolving suspected corporate wrongdoing.