[BreachExchange] Data Breach Notification: 10 Ways GDPR Differs From the US Privacy Model

[Audrey McNeil]

http://sponsoredcontent.wsj.com/pwc/broader-perspectives/
data-breach-notification-10-ways-gdpr-differs-from-the-us-privacy-model/

California’s famous SB1386 bill of 2003 pioneered mandatory data-breach
notification across the United States, spurring a decade of unprecedented
corporate spending on information security. Europe has imported this idea
into its landmark General Data Protection Regulation (GDPR). Now, US
multinationals will need to update their US privacy incident-response
playbook in at least 10 areas in order to be ready for the GDPR’s May 2018
compliance deadline.

When taken together, these 10 points represent a very different model — and
one from which its own unique dynamics are sure to emerge. US
multinationals planning to make only minor modifications to their US
privacy incident-response policies, and anticipating just assigning this
responsibility entirely on their US response teams, are underestimating the
level of effort to effectively manage their risks. Let’s take a look at
these 10 areas:

1. Definition of a data breach.

The standard criteria triggering a data-breach notification in the United
States is the “unauthorized access or acquisition” of a limited set of
sensitive-personal data elements such as Social Security numbers and credit
card numbers. The GDPR defines it more broadly as a “breach of security
leading to the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data.” The EU, in turn,
defines “personal data” as any data that can be directly or indirectly
associated with a living individual – a very broad scope that now includes,
for example, IP addresses.

2. Risk of harm threshold for reporting.

In spite of the much lower threshold that constitutes a data breach under
the GDPR, the new law sets a much higher standard for which of these
breaches must be reported. Only those that pose a risk of harm to
individuals’ “rights and freedoms” must be reported, a concept mostly
nonexistent in US data-breachlaws.

3. Safe harbor for strong security measures.

The GDPR’s safe harbor for strong security measures is broader than its US
equivalent. The GDPR provides that “if appropriate technical and
organizational measures” were in place to protect the data – specifically
calling out data encryption – the company does not need to report the
breach. In the US model, the safe harbor for non-reporting is generally
limited to data that is encrypted in storage and transit.

4. Timing of the notifications.

In the United States, companies experiencing a notifiable data breach must
generally notify affected individuals in an expedient manner, with small
handful of jurisdictions requiring definite timetables ranging from five to
30 days. Companies experiencing a notifiable breach of EU personal data
after May 25, 2018, however, must make notifications “without undue delay
and, where feasible, not later than 72 hours after having become aware of
it.” Recognizing companies may not know many definitive facts within 72
hours of detecting an incident, the GDPR authors allow that notifications
“may be provided in phases.”

5. Recipients of the notifications.

The US model centers on the notification of affected individuals, with many
state attorneys general and federal agencies adding mandatory notification
of them as well. The GDPR establishes a simpler, two-track model. If a
breach of EU personal data poses a risk to the rights and freedoms of
individuals, the company must notify its lead data-protection authority
(DPA). If the breach poses a high risk to individuals, the company must
also notify them.

6. Content of the notifications.

Several US states and some federal agencies specify what companies should
and shouldn’t include in data-breach notification letters. The GDPR
establishes a common standard that doesn’t exist in the United States. EU
data-breach letters must specify the nature of the data categories
compromised, the number of data subjects affected, the name of the
company’s data protection officer (DPO), contact information for
individuals to learn further information, likely consequences for the data
subjects, and measures taken to reduce risk to individuals.

7. No credit-monitoring expectation.

While US laws don’t require companies to offer remedies such as credit
monitoring to individuals affected by a data breach, most almost always do
in order to meet a public relations expectation. For its part, the GDPR
does not require companies to provide any such remedy to data subjects. The
credit-monitoring marketing itself is more limited in Europe because of the
impact of data-protection laws on sharing personal data, making it less
likely that this remedy will emerge soon even as a public relations
expectation.

8. No “walls of shame” – yet.

Several US state attorneys general and the US Department of Health and
Human Services maintain a public-facing website listing of data breaches
reported to them. This websites can magnify the brand impact of a data
breach over an extended period of time. The GDPR doesn’t require that any
EU stakeholder maintain a similar website. It does, however, require EU
data-protection authorities to maintain public lists of data-protection
impact assessments, setting an important precedent.

9. Obligations for processors to notify.

In the US model, the burden of holding third parties accountable to
providing timely notification of breaches to their clients falls largely on
the clients’ contracting and vendor-management processes. The GDPR shifts
the compliance burden to the third-party data processors themselves,
requiring them to report to clients data breaches involving their clients’
data “without undue delay after becoming aware.”

10. Post-mortem documentation.

US privacy incident-response playbooks often include a post-mortem process
for continuous improvement as a matter of best practice. Few, if any, US
laws require this step, however. The GDPR breaks new ground by requiring
companies who have experienced a data breach to document the facts relating
to the breach and remedial action taken to prevent a reoccurrence.

Next Steps: Getting Ready for May 2018

As noted above, the GDPR represents a very different model from US privacy
laws. The US multinationals that best succeed at staying off of the radars
of EU privacy regulators are those that will be able to equip, train, and
test an EU first-response team on an EU privacy incident-response playbook
well ahead of the May 2018 deadline.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161202/266732c4/attachment.html>