The CCPA, EU’s GDPR, Canada’s PIPEDA, Brazil’s General Data Protection Law, Australia’s notifiable data breach scheme are just a few examples of international data breach notification laws that have come into play in recent years. The breadth and complexity of these regulations are proving to be a significant challenge for businesses around the world and regulators have shown they are not afraid to lay significant sanctions for those who cannot demonstrate compliance.
In a recent webinar, we partnered with Travis Cannon, Director of Market Development and Partnerships at RADAR, to discuss best practices and how to take an accountability approach to managing data breaches.
Complex Landscape of Data Breach Laws
As the GDPR has just passed its first birthday, we are seeing spillover effects into other jurisdictions. Australia, Japan and Brazil are implementing similar data protection laws where breach notification is a key requirement of compliance.
While the US has been passing and implementing data breach laws for a number of years, the CCPA is top of mind as it has taken a leadership position in terms of expanding the common American definition of personal data (including IP Address; geolocation and household data) with at least an additional seven states following a similar path. In the US, data breach laws can also be sector specific, exacerbating the complexity and the compliance challenges privacy professionals are facing.
Breach notification deadline requirements may also vary widely. The GDPR specifies notification “without undue delay” and where feasible, not later than 72 hours after a breach is discovered. The CCPA specifically requires notification within 72 hours following discovery or notification of the breach. Other jurisdictions like Brazil (“within a reasonable time”) and Japan (no specific time frame) are more ambiguous.
An important consideration for multi-national organizations will be establishing internal policies and procedures on managing breach notifications particularly if a company has been able to notify within 72 hours in one jurisdiction, they may be held to that bar in jurisdictions with more ambiguous timelines.
An Accountability Approach: Lessons from GDPR
Since most data breaches are the result of human error, even organizations with the best privacy program and awareness of personal data processing, may experience a breach. We have learned from the GDPR that organizations have to not only be accountable, but also be able to demonstrate compliance. This can be broken down into three key activities:
- Put in place appropriate technical and organizational measure to meet requirements
- Ensure compliance of data processing operations is demonstrable including having underlying evidence ready
- Ensure technical and organizational measures are reviewed and updated on a regular basis (annually) to ensure compliance with changing legislation and guidance
If your organization is GDPR compliant, you will already have a solid foundation for addressing data breach notification requirements for other jurisdictions. However, if you are just getting started, there are three activities from GDPR compliance that will enable you to develop a foundation for compliance:
- Leverage the Records of Processing Inventory (ROPI): A key element to GDPR and other legislation is the ability to provide proper documentation to demonstrate compliance. A ROPI (under Article 30 of the GDPR or Article 37 of Brazil’s LGPD) provides easy access to all information on processing operations so that you can quickly retrieve information when you have a security alert or incident report from within the organization.
- Appoint a Data Protection Officer (DPO): The appointment of a DPO is mandatory under the GDPR and other jurisdictions are adopting this requirement. A DPO can act as a first point of contact and internal advisor on how to proceed in the event of a breach.
- Conduct (or leverage) your Data Privacy Impact Assessment (DPIA): Conducting or leveraging your DPIA may already reveal risk involved in your processing and include mitigating measures put in place to help you determine if a data breach is reportable.
- Keep a data breach register: While not all breaches are reportable to authorities, you do need to keep an internal register of all data breaches and security incidents. Reviewing your data breach register may point to problems within your organization related to lack of awareness, lack of security or simple carelessness in some of the departments.
- Use a structured approach to privacy management: Structured privacy management ensures the entire organization is engaged in processing personal data in a responsible manner. This approach enables companies to assign ownership of implementation of compliance activities. This will result in evidence - policies and procedures, decision making processes, minutes from meetings, etc. - that can be used to demonstrate responsible privacy management and help with conversations with regulators and DPAs after a breach.
Not all breaches are created equal
Many organizations start with an assumption that all data incidents are notifiable. The first year of the GDPR saw more than 64,000 data breaches notified to regulators. These ranged from minor breaches (errant emails sent to the wrong recipient) to major cyber hacks affecting millions of individuals and making front-page headlines. This assumption creates a risk of over-reporting. While over-reporting could be an attempt to be transparent, it can also draw the unnecessary attention of regulators who may draw conclusions that you do not have good processes in place. According to RADAR, when breach notification decisions were informed by structured privacy management and a consistent multi-factor incident risk assessments, the number of actual number of incidents that rise to the level of a notifiable breach drops to about 10%. At the same time, regulators have indicated they suspect a large volume of non-reported breaches have taken place. Underreporting will also be monitored more closely, especially by EU data protection authorities, to ensure that all qualified breaches are indeed reported.