Companies are increasingly using third party ‘cloud’ services to remotely store and process data. These solutions often result in data moving across borders and being stored in multiple locations worldwide.
This geographical diversity presents significant challenges for companies in the event of an actual or suspected data security breach; navigating legal obligations regarding privacy, data security and breach notifications requirements in multiple jurisdictions can be daunting.
We offer eight tips to manage cross-jurisdictional risk and respond effectively in the event of a breach.
1. CO-ORDINATE YOUR RESPONSE STRATEGY ACROSS COUNTRIES
Managing regulatory compliance across national boundaries demands a co-ordinated strategy and action plan that meets the legal requirements of multiple countries.
Co-ordinating your strategy reduces the risk that a regulatory response in one jurisdiction will negatively impact outcomes in a second jurisdiction. It gives oversight of the overall strategy (including managing admissions and evidence) and primary responsibility for protecting the organisation’s rights. This is important to preserve legal professional privilege and manage discovery obligations.
2. BE PROACTIVE
Consider informing relevant regulators and affected parties of a suspected breach rather than allowing them to become aware of a breach via media reports or investigations in other jurisdictions.
Being proactive often results in better relationships with the regulator and may lead to improved regulatory outcomes.
Dealing reactively with each jurisdiction in a piecemeal manner risks amplifying negative publicity, brand damage and may even impact insurance arrangements.
3. APPOINT A PRIMARY RESPONSE CO-ORDINATOR
Determine which jurisdiction will take the lead in co-ordinating the response to a breach in data security. The lead jurisdiction takes responsibility for identifying the affected jurisdictions and obtaining advice in each to determine:
- What has occurred;
- Whether a security breach has occurred in that jurisdiction;
- Whether there are notification requirements, e.g. to affected individuals or regulatory bodies, and whether these are mandatory or voluntary;
- Co-ordinating the response to ensure that all jurisdictions notify together, manage any admissions and evidence consistently and coherently; and
- Determining the relevant time frames for any required notifications.
The lead jurisdiction co-ordinates the response strategy to inform staff and if required, respond to media requests or reports.
4. KNOW YOUR DATA AND WHERE IT IS STORED
The first step in developing a regulatory response strategy is to know in which countries you will have legal obligations. This requires intimate knowledge of your data. Where is it? Where is it stored? Where are the relevant servers? How will this affect any claims for legal professional privilege in different jurisdictions? Are data transfer arrangements fit for purpose?
Armed with this knowledge you can identify the most likely countries where you will have legal obligations.
5. KNOW YOUR OBLIGATIONS IN EACH COUNTRY
Ensure you have access to legal counsel who are able to advise in relation to these jurisdictions you have identified
A skilled lawyer will advise you on the extent of your obligations and what you need to do in the event of a data breach. A key question is: does transferring data to that jurisdiction (including via email in foreign countries if your server is hosted in that jurisdiction) make those documents potentially discoverable in the event the matter is brought to Court?
In addition to the laws of the jurisdiction in which the data is stored, organisations may also be subject to local data protection and privacy laws in their ‘home’ jurisdictions (where they have operations).
For instance, Australia’s Privacy Act 1988 (Cth)provides that conduct outside Australia with an Australian link may amount to a breach of the Act despite the data being stored elsewhere, unless that conduct is required by the law of that jurisdiction.
6. ENGAGE YOUR SERVICE PROVIDER IN THE STRATEGY
The next step is to review your agreements with service providers to determine whether:
- your provider is obliged to notify you of an actual or suspected breach in time for you to meet notification requirements in these jurisdictions (taking into account a reasonable time period to investigate the circumstances and co-ordinate the response); and
- you have contractual processes in place to obtain necessary co-operation from your service provider.
Critical to this is ensuring necessary contact details for your organisation, service providers, legal advisors and regulators are kept up to date and accessible.
7. COMMUNICATE, COMMUNICATE, COMMUNICATE
Privacy related matters are inherently personal and therefore are significant to customer and supplier relationships, as well as staff engagement and morale. Particularly where the circumstances of the actual or potential breach become public, it is important for organisations to proactively communicate with affected customers, suppliers and employees.
8. CONTINUALLY IMPROVE
Once an actual or suspected breach has been addressed the lead co-ordinator should identify any improvements to business processes, systems or arrangements that can prevent or minimise future occurrences. For example, staff education and compliance training may be enhanced, or improvements made to contractual arrangements or supplier selection criteria, or system improvements could be made to allow earlier detection of potential issues.
An earlier version of this article was published in Privacy Unbound (February 2015).