[BreachExchange] Data breach notifications

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jun 15 19:45:29 EDT 2016


http://www.lexology.com/library/detail.aspx?g=b061c3d1-e7db-4848-a457-bc9902e443e3

Data security breaches have been on the rise for many years now, with
governments and regulators responding in many ways. One element of the
response is to require organisations who experience a data security breach
to notify relevant regulators and, most importantly, the people whose data
has been compromised.

In a previous edition of Red Tape, we canvassed a broad range of legal
issues associated with cyber security incidents. SEC Chair Mary-Jo White
has recently described cybersecurity as the biggest risk facing the
financial system. China has also recognised the importance of cybersecurity
to national security, and is in the process of reforming its cybersecurity
laws, as reported last year. In late May 2016, Hong Kong’s banking
regulator launched a “Cybersecurity Fortification Initiative”, following a
blight of recent regional and local scandals involving banks.

In this article, we look at recent developments in the EU and Australia in
relation to one of those legal issues, namely data breach notification laws.

Mandatory data security breach reporting laws have been in place in the
United States of America for many years now. Canada, Korea and, more
recently, South Africa also have enacted such laws. In the EU, the
requirement currently applies only to businesses in certain sectors
(electronic communications providers). Breach reporting in Hong Kong is not
strictly required under law, but is expected under guidelines issued by
both the Privacy Commissioner for Personal Data and by financial regulators.

European Union – 72 hour notification

One of the most significant recent developments has been the adoption of
the General Data Protection Regulation (GDPR) by the European Union. On 4
May 2016, the European Parliament and the European Council published the
GDPR in the Official Journal of the European Union. This has been the final
step of a legislative process spanning over five years. The GDPR will enter
into force on 25 May 2018.

The GDPR contains an obligation to notify:

- the relevant data protection supervisory authority of a personal data
breach “without undue delay and, where feasible, not later than 72 hours
after having become aware of it” (Article 33); and
- the data subject without undue delay “when the personal data breach is
likely to result in a high risk to the rights and freedoms of natural
persons” (Article 34).

If an organisation considers that there is not such a high risk, the
supervisory authority will have the power to require the organisation to
notify data subjects if it disagrees. If an organisation fails to notify,
it may be liable to an administrative fine of up to €10 million or 2% of
the total worldwide annual turnover of the preceding financial year,
whichever is higher (Article 83(4)) (for certain other breaches of the
GDPR, the fine can be up €20 million or 4% of total worldwide turnover).
This is in addition to any liability that the organisation may have to
affected individuals.

Based on our experience, we anticipate that many organisations will take
the view that it is not feasible to report sensibly to the regulator within
72 hours of becoming aware of a data breach. In many instances, only the
basic information about the extent of the breach and the manner in which it
occurred will be known within this period.

If the breach is a result of a sophisticated hacker, the hacker will likely
have been exploring the organisation’s systems for weeks or months before
the organisation became aware of the breach (or part of it). So while
obvious causes for the breach will have been identified and contained
within the initial 72 hour period, response teams will frequently spend
more time assessing whether the hacker has identified other
vulnerabilities. This may lead to staggered notifications to the relevant
regulator, culminating in a later notification to data subjects once the
degree of risk has been more clearly assessed.

We expect that even vigilant regulators will be wary that individuals may
experience counter-productive “notification fatigue” if lower risk
incidents were routinely notified.

Australia

In late 2015, the Australian Government released a draft of the Privacy
Amendment (Notification of Serious Data Breaches) Bill for public
consultation. This was against the background of public statements from
both of Australia’s main political parties supporting the introduction of
data breach notification laws. More than 40 submissions were received (the
text of the Bill and the submissions are published here). In April 2016,
the government indicated that they intended to introduce a version of the
Bill into Parliament. However, they did not do so before Parliament was
dissolved for an election (which is underway at the time of writing).

Unlike the EU’s expectation of a 72 hour period in which to notify, the
test proposed by the exposure draft of the Australian Bill was to notify
“as soon as practicable” after becoming aware that there are reasonable
grounds to believe that there has been a serious data breach. Further, the
concept of “as soon as practicable” was clarified so as to allow the
organisation to carry out a reasonable assessment of whether there are
reasonable grounds to believe that a serious data breach has occurred,
provided that assessment is carried out within 30 days after becoming aware.

The maximum penalty associated with a failure to notify in Australia is
A$1.8 million, which is considerably lower than those in effect under the
GDPR.

Due to the Australian election, progress of this bill is now delayed,
although both major parties are on the record in supporting legislation of
this kind. Accordingly, organisations operating in Australia should be
prepared for such laws to be implemented during the next term of government
(Australia has a three year election cycle, so the next election will
likely be in 2019).

Will increased notification result in class action litigation?

Large scale data breach incidents which have been notified under US law
have often led to class action litigation being commenced. However, as a
percentage of the total number of reported breaches, the number of class
actions is quite low. Various studies have found that approximately 5% of
publicly reported breaches resulted in class action litigation.

While some prominent class actions have resulted in substantial damages
awards or settlement sums, businesses have had more success defending class
action claims in recent years. This can be attributed to the 2013 decision
by the US Supreme Court in the Clapper case which raised the barrier by
forcing the lead plaintiff to prove that there was a substantial risk that
they would suffer an injury or damage as a result of the breach.

The courts have held that mere loss of data, without evidence that it has
been viewed or misused, is not an injury sufficient to confer standing.
However, not all cases can be defended on this basis, because there are
cases in which damage has actually transpired or where a threatened injury
is “certainly impending”.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160615/a6e2d4aa/attachment.html>


More information about the BreachExchange mailing list