Challenge: When a data security breach leaks information about a multinational's employees in more than one country, "breach notification" laws raise cross-border disclosure obligations.
Imagine a serious data security breach that leaks names and private data of a multinational's employees across a number of countries. The breach might be due to a hacker, to a lost laptop, to data stolen by a rogue departing employee, or to any other security breakdown. Whatever the situation, the legal question quickly becomes: What are a multinational employer's obligations to notify affected employees, and government authorities, of the fact that human resources data leaked?
The answer depends on "applicable" law. In the human resources data context, the laws applicable can be, at minimum, the laws of all jurisdictions where affected employees are based, because a multinational employer will often be subject to personal jurisdiction in all countries where it employs staff (a multinational often transacts business and serves as a "data controller" in each locale where it has employees; in addition, a multinational might also be subject to data laws in jurisdictions where it does not have employees, such as where it has servers). As such, although a security breach itself—the hacking, the lost laptop, the rogue employee data theft—usually occurs in just a single country, the applicable employee breach-notification requirements will often be the notice mandates (if any) of all jurisdictions where there are affected employees. Complying with applicable law after a data breach that affects employees across a number of countries, therefore, means ascertaining, and following, the notification rules of each of the home jurisdictions of breach-victim employees.
Speaking broadly, we can address global data breach-notification compliance from three geographical perspectives: the United States, Europe and the rest of the world.
United States: US state laws regulate breach-notification obligations to US residents, often including employees, whose data get compromised in a breach. (As of mid-2009, federal bills were pending which could preempt this area with federal legislation.) While data protection/privacy in the US generally tends to be regulated less comprehensively than in jurisdictions like the European Union and Canada, in this specific context—security breach notification—US states impose some of the world's toughest obligations. Since 2003, when California passed a groundbreaking and influential data security breach notification law, 44 US states have imposed laws requiring breach notice in certain contexts. These laws generally require database owners to notify affected "customers" or other data subjects, including employees, of a breach. Some of these laws also require notice to state attorneys general or credit bureaus. Many of these laws provide a private right of action.
Pointer: Develop a cross-border breach-notification response strategy that complies with each affected country's mandates on notifying both employees and government data agencies.
- When a US-based multinational suffers a data security breach within the US, most of the affected employees may prove to be US residents. In these cases, US state data-breach obligations may drive the multinational's global breach-notification strategy: US employees will likely need to be notified of the breach consistent with US state laws; human nature being what it is, these employees can be expected to discuss the data breach with co-workers abroad. Notifying all affected employees that a breach of their data occurred is often recommended, even where notice is not legally compelled. For these reasons, a sound human resources strategy will often be for the multinational employer to notify all employee breach victims, worldwide—although a key issue can be timing (breach notices may need to be expedited, or delayed in some jurisdictions).
Europe: When some employee victims of a data security breach are based outside the US, relevant employer breach-notification obligations become the domestic mandates of employees' home jurisdictions. In many cases the analysis here will begin with the European Economic Area, known for its tough data protection laws. But European data law principles become surprisingly sketchy as to specific breach-notification mandates. Perhaps ironically, Europe—which otherwise imposes what are widely recognized as the world's toughest set of general data-protection laws—has, so far, imposed few specific breach-notification requirements (at least outside the telecommunications sector).
- This is probably because Europe's tough general data-notification rules (as opposed to its data security rules) are built around notifying "data subjects" and government data agencies up front about data processing systems. In a sense, Europe's general data notice rules are preventive in that they "close the barn door before the horse gets out," but they focus less on post-crisis breach response—mandating special notices "after the horse gets out."
This said, expect European employee data subjects and government data agencies to argue that Europe's broad general rules requiring "data controllers" to notify data subjects and agencies about data processing systems somehow encompass a mandate to provide notice of a specific breach incident. One argument here may be that unless the data controller had previously disclosed (to data subjects and agencies) that "breaches" are one form of permitted data processing, then the controller must notify data subjects and agencies after an unanticipated breach occurs. Further, a small but growing number of European states now impose state-specific breach-notification obligations. Norway, for example, expressly requires notifying the Norwegian data authority even if just one Norwegian is affected by a breach, and an incoming German law is expected to mandate breach notification to local German data authorities.
- A publicized data breach risks drawing close scrutiny from European data subjects and data protection authorities. A multinational's breach-notification strategy in Europe needs to factor in the high stakes. European states can impose onerous penalties for widespread data-law violations, especially where a data-controller is shown not to have followed compliant data processing practices.
In short, breach notification requirements in Europe split into two prongs: First, must the data controller notify affected data subjects? (This prong then splits into two halves: notice requirements to "direct data subjects" like employees, versus notice to "indirect data subjects" like employees' e-mail correspondents.) Second, must the data controller notify government data protection authorities? Where a multinational employer that suffers a breach of employee data decides, for human resources reasons, to notify all affected staff worldwide, the issue of whether laws in Europe compel notice to European employees can for the most part drop out, as a practical matter (where the employer complies anyway). This leaves the issue of whether the multinational must notify European member state data agencies. While a few European states (like Norway and, soon, Germany) do impose clear government-notice mandates, in many cases whether government notice is mandatory is a murkier issue. Often the local advice will be that government notice is "recommended."
Beyond the US and Europe: Going beyond Europe and the US, the breach notification issue follows a broadly-similar analysis. First ask: What is the applicable law? Then ask: Does each applicable country's law impose any breach notification obligations? Often it will not. For example, according to the Australian Office of the Privacy Commissioner's Guide to Handling Personal Information Security Breaches (August 2008, at p.12), Australia's "Privacy Act does not expressly require…an organisation to notify individuals if personal information is subject to a breach…." Where laws do compel notification, ask: What are the precise obligations to notify both affected data subjects and government agencies? When a multinational employer makes the business decision to notify all affected employees worldwide, the focus becomes notification obligations to government authorities. Relatively few jurisdictions outside the US and Europe impose direct mandates to notify government agencies about breaches of human resources data, but some may. A chart summarizing breach notification laws around the world appears in a 2009 article by Alana Maurushat, "Data Breach Notification Law Across the World from California to Australia" (Univ. of New South Wales Faculty of Law Research Series paper #11). Where laws do not compel notice, ask: What notice is recommended as a matter of good practice? Are there any obligations to third parties affected by the breach, including employee representatives?
Other legal issues beyond data laws: In many jurisdictions, what breach notification mandates apply will depend on the specific facts. For example, where a breach leaks regulated information about publicly-traded securities, securities laws can kick in—such as the stringent notice requirements under Australia's Corporations Act, mandating notice to the Australian Securities and Investments Commission. A lost laptop in the UK led to a huge fine from the Financial Services Authority, because the laptop contained financial data. In some cases, third party contracts can impose penalties.