Data breaches are incidents that expose personal data to unauthorized access or use. They can have serious consequences for individuals, such as identity theft, fraud, or emotional distress. They can also damage the reputation and trust of organizations that suffer them, as well as expose them to legal liability and regulatory sanctions.
Data breach notification is the process of informing affected individuals and relevant authorities about a data breach. The purpose of data breach notification is to enable individuals to take protective measures, such as changing passwords or monitoring their accounts, and to allow authorities to investigate and enforce the applicable data protection laws.
Different countries and regions have different laws and regulations regarding data breach notification. Some of them are based on the EU General Data Protection Regulation (GDPR), which applies in all EU member states and the European Economic Area (EEA) since May 25, 2018.
Requirements at Glance
Before we take a deep dive of the requirements in different regions, let’s see an airplane view of them.
| Notification Durations | Authority | Penalties |
GDPR | Undue delay, no later than 72 hours | Relevant supervisory authorities | Max penalties – EUR 20 MN or 4% of global turnover |
CCPA | Unreasonable delay to residents
30 days if more than 500 residents are affected | To the residents
>500 residents to Attorney general | Statutory damages to individuals of USD 100 – 750 per consumer per incident |
HIPAA | Within 60 days of discovery | Individuals affected
HHS |
|
China | 8 hours of discovery | > 100K individuals to Cyberspace Administration of China (CAC) and other regulators | 1% to 10% of its annual revenue in China in the previous year |
Australia | Within 30 days | Office of the Australian Information Commissioner (OAIC) | For serious or repeated breaches, AUD 2.1 million for organizations and AUD 420,000 for individuals |
India | No fixed timeline for notification | Data principal and the Data Protection Authority (DPA | Range from Rs 5 crore or 2% of the total worldwide turnover |
European Union
The General Data Protection Regulation (GDPR) requires organizations that process personal data to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. However, no security system is perfect and data breaches can still happen despite the best efforts of the organizations.
When a data breach occurs, the GDPR imposes a duty on the organization responsible for the personal data (the controller) to notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it. The notification should include information such as:
The nature of the breach and the categories and approximate number of data subjects and personal data records concerned
The name and contact details of the data protection officer or other contact point
The likely consequences of the breach
The measures taken or proposed to address the breach and mitigate its possible adverse effects
The controller must also communicate the breach to the affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms. The communication should include the information mentioned above, as well as advice on how to protect themselves from the potential consequences of the breach.
There are some exceptions to the notification obligations, such as when:
The controller has implemented appropriate technical and organizational measures that render the personal data unintelligible to unauthorized persons, such as encryption
The controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize
The communication to data subjects would involve disproportionate effort, in which case alternative measures such as public announcements should be used
The GDPR also imposes significant fines for non-compliance with the data breach notification obligation. The maximum penalty is €20 million or 4% of the organization’s global annual turnover, whichever is higher. The actual amount of the fine depends on various factors, such as the gravity and duration of the infringement, the number of data subjects affected, the level of cooperation with the supervisory authority, and any previous violations.
The GDPR aims to harmonize the data protection rules across the EU and ensure a consistent enforcement of them. However, there may be differences in how each member state interprets and applies the data breach notification requirement. For example, some supervisory authorities may provide more guidance or flexibility on what constitutes a high-risk breach or when a notification is not required. Therefore, organizations should be aware of the specific rules and practices in each jurisdiction where they operate or offer services.
Data breach notification is not only a legal obligation but also a good practice that can help organizations mitigate the impact of a breach and restore trust with their customers and stakeholders. By reporting a breach promptly and transparently, organizations can demonstrate their accountability and responsibility for protecting personal data.
United States of America
The United States does not have a federal law that applies to all sectors and types of personal data. Instead, it has a patchwork of state laws that vary in terms of scope, definitions, thresholds, time frames, exemptions, and penalties. As of January 2024, all 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted some form of data breach notification law. Generally, these laws require data holders (the entities that own or license personal data) to notify the affected individuals and sometimes state authorities or consumer reporting agencies of a data breach involving personal information (such as name, social security number, financial account number, or biometric data) within a reasonable time frame, unless the breach does not pose a risk of identity theft or fraud.
CCPA
The California Consumer Privacy Act (CCPA) is a landmark legislation that grants Californians the right to know and control how their personal data is collected, used and shared by businesses. The CCPA also imposes obligations on businesses that process personal data of California residents, such as providing notice, honoring opt-out requests, and ensuring data security. One of the most important aspects of the CCPA is the data breach notification requirement.
Under the CCPA, businesses that experience a data breach involving unencrypted or unredacted personal data of California residents must notify them without unreasonable delay, unless the breach is unlikely to result in harm. The notification must be written in plain language, be titled "Notice of Data Breach", and include the following information:
The name and contact information of the business
A list of the categories of personal data that were involved in the breach
A brief description of the incident and the date or estimated date of occurrence
The measures taken or planned by the business to address the breach and prevent future incidents
Information on how the affected individuals can protect themselves from potential harm, such as contacting credit bureaus, monitoring their accounts, or filing a complaint with the Attorney General
Additionally, if a data breach affects more than 500 California residents, the business must also notify the Attorney General within 30 days of discovering the breach. The notification must include a copy of the notice sent to the affected individuals and any additional information that may be helpful for the investigation.
The CCPA also gives individuals the right to sue businesses for data breaches that result from their failure to implement and maintain reasonable security procedures and practices. Individuals can seek statutory damages of $100 to $750 per consumer per incident, or actual damages if greater, as well as injunctive or declaratory relief and attorney's fees.
The CCPA data breach notification requirement is similar to but not identical to the existing California data breach notification law (California Civil Code sections 1798.29 and 1798.82), which applies to any person or entity that conducts business in California and owns or licenses personal data of California residents. The main differences are:
The CCPA covers unencrypted or unredacted personal data, while the existing law covers unencrypted personal data
The CCPA defines personal data as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household, while the existing law defines personal data as an individual's name in combination with certain identifiers, such as social security number, driver's license number, account number, etc.
The CCPA allows individuals to sue for statutory damages without proving actual harm, while the existing law requires proof of injury
Federal Data Breach Notification Laws
The following are some of the most relevant federal laws that impose data breach notification requirements on certain organizations:
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities (such as health care providers, health plans, and health care clearinghouses) and their business associates (such as vendors or contractors that handle protected health information on behalf of covered entities) to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, of a breach of unsecured protected health information within 60 days of discovery. A breach is defined as an impermissible use or disclosure of protected health information that compromises its security or privacy. Unsecured protected health information is any information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction.
The Gramm-Leach-Bliley Act (GLBA) requires covered financial institutions (such as banks, credit unions, securities firms, insurance companies, and other businesses that offer financial products or services to consumers) to notify their customers and their primary federal regulator of a security breach involving customer information as soon as possible. Customer information is any information that a financial institution collects from its customers in connection with providing a financial product or service. A security breach is any unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.
The Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers recently issued by the FDIC require FDIC supervised banking organizations (such as state-chartered banks that are not members of the Federal Reserve System) to notify the FDIC within 36 hours of determining that they have suffered a computer security incident that (a) materially disrupts or degrades their ability to maintain banking operations or to deliver services to a material portion of their customers, (b) materially disrupts or degrades the operations of one or more business lines that could result in a material loss of revenue or decrease in their value, or (c) could pose a threat to the financial stability of the country. A computer security incident is any occurrence that results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
State Data Breach Notification Laws
As mentioned above, all 50 states, Washington DC, and most US territories have their own data breach notification laws that apply to organizations that hold personal information of their residents. These laws vary widely in terms of their definitions, scope, triggers, and notifications.
China
Data breaches are becoming more frequent and severe in China, as well as around the world. Data breaches can cause serious harm to the rights and interests of data subjects, as well as reputational and legal risks for data controllers. Therefore, it is important for network operators (NOs) to understand their obligations and responsibilities under the Chinese laws and regulations regarding data breach notification.
The main legal framework for data breach notification in China consists of three laws: the Cybersecurity Law (CSL), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). These laws apply to all NOs that own or operate a network in China, as well as a subset of these entities that are defined as Critical Information Infrastructure Operators (CIIOs). CIIOs are NOs that provide services or products in key sectors such as public communication, information services, energy, transportation, water conservancy, finance, public services and e-government.
According to these laws, NOs have to implement technical and organizational measures to ensure the security and stability of their networks, prevent and respond to network security incidents, and protect the confidentiality, integrity and availability of the data running on their networks. Network security incidents include malicious program incidents, network attack incidents, data security incidents, information content security incidents, equipment and facility failure incidents, operational violation incidents, security risk incidents, abnormal behavior incidents, force majeure incidents and other cyber incidents.
In the event of a data breach or a potential data breach, NOs have to notify the relevant authorities and the affected data subjects as soon as possible. The relevant authorities include the local office of the Ministry of Industry and Information Technology (MIIT) and the Cyberspace Administration of China (CAC), as well as other regulators depending on the sector and the nature of the data involved. The notification should include the following information:
The categories of data affected by the breach
The reasons for the breach and the potential consequences
The remedial measures taken or planned by the NO
The contact information of the NO
The notification to the data subjects should also include advice on how to protect themselves from the risks arising from the breach. However, if the NO can effectively avoid or mitigate the harm caused by the breach, such as by encrypting or anonymizing the data, it may not need to notify the data subjects. The CAC or other regulators may also request or exempt the NO from notifying the data subjects depending on the impact of the breach.
The DSL and PIPL also introduce specific notification requirements for certain types of data breaches. For example, if a data breach involves personal information of more than 100,000 individuals or any important data, such as national security data or core business data, the NO has to notify the CAC and other relevant regulators within eight hours of discovering the breach. The NO also has to submit a second report within five working days after resolving the breach.
One of the questions that may arise from a data breach is what the penalties are for violating the data security laws in China. The CSL, DSL and PIPL do not specify any penalties for failing to notify a data breach. However, they do provide for general penalties for violating their provisions on data security management and protection, which may include warnings, rectification orders, fines, suspension of business activities, revocation of licenses or permits, confiscation of illegal gains and criminal liability. The amount of fines may vary depending on factors such as the severity of the breach, the number of affected individuals, the type of data involved and whether there was any malicious intent or negligence. For example, under the PIPL, if a NO fails to take necessary measures to protect personal information or causes serious consequences due to its violation of personal information protection rules, it may face a fine ranging from 1% to 10% of its annual revenue in China in the previous year. In addition, individuals who are directly responsible for such violations may also face fines ranging from 10,000 yuan to 100,000 yuan.
Australia
Australia has a federal law on data protection and data breach notification. The Privacy Act 1988 regulates the handling of personal information by most government agencies and private sector organizations. The Notifiable Data Breaches (NDB) scheme, which came into effect on February 22, 2018, requires these entities to notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals of a data breach involving personal information that is likely to result in serious harm (such as identity theft, financial loss, or physical harm) within 30 days of becoming aware of it.
Serious harm is not defined in the legislation, but it can include physical, psychological, emotional, financial or reputational harm. The OAIC has issued guidance on how to assess whether a data breach is likely to result in serious harm, taking into account factors such as:
The type and sensitivity of the personal information involved
The security measures protecting the personal information
The nature and extent of the unauthorized access or disclosure
The potential harm to the individuals and the organization
The characteristics of the individuals and the recipients of the personal information
Organizations and agencies must notify the OAIC and the affected individuals as soon as practicable after becoming aware of an eligible data breach. An eligible data breach occurs when:
There is unauthorized access to, or unauthorized disclosure of, or loss of personal information
A reasonable person would conclude that the access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom the information relates
The organization or agency has not been able to prevent or mitigate the risk of serious harm through remedial action
There are some exceptions to the notification requirement, such as when:
The organization or agency has taken steps to contain the data breach and prevent further harm
The data breach is subject to secrecy provisions under other laws
The data breach relates to law enforcement activities or national security matters
The Information Commissioner has granted an exemption from notification
The notification must include:
The identity and contact details of the organization or agency
A description of the data breach
The kinds of personal information involved
Recommendations about the steps that individuals should take in response to the data breach
The notification can be given directly to the affected individuals by email, phone, mail or other means. Alternatively, if direct notification is not practicable, the organization or agency can publish a statement on its website and take reasonable steps to publicize it.
The penalties for failing to comply with the NDB scheme or the Privacy Act can be severe. Currently, the maximum penalty for serious or repeated breaches of privacy is AUD 2.1 million for organizations and AUD 420,000 for individuals. However, these penalties are set to increase significantly under a draft legislation that was released by the Australian Government in October 2021.
The draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 proposes to:
Increase the maximum penalty for serious or repeated breaches of privacy to not more than the greater of AUD 10 million, or three times the value of any benefit obtained through the misuse of information, or 10% of the entity's annual Australian turnover
Provide the OAIC with new infringement notice powers backed by new penalties of up to AUD 63,000 for bodies corporate and AUD 12,600 for individuals for failure to cooperate with efforts to resolve minor breaches
India
In India, there are two sets of regulations that impose reporting requirements for data breaches: the Digital Personal Data Protection Act, 2023 (DPDPA) and the Cyber Security Directions issued by the Indian Computer Emergency Response Team (CERT-In).
The DPDPA requires that in the event of a personal data breach, the data fiduciary must notify each affected data principal and the Data Protection Authority (DPA) as soon as possible. The notification must include:
The nature of the personal data breach
The number and categories of data principals affected
The possible consequences of the personal data breach
The measures taken or proposed to be taken by the data fiduciary to address the personal data breach
The contact details of a representative of the data fiduciary for further information
The DPDPA does not specify a fixed timeline for the notification, but it states that it must be done without undue delay. The DPA may also prescribe additional rules regarding the format and method of notification.
The DPDPA also empowers the DPA to impose penalties for non-compliance with the notification requirement. The penalties may range from Rs 5 crore (approximately USD 670,000) or 2% of the total worldwide turnover of the preceding financial year, whichever is higher, to Rs 15 crore (approximately USD 2 million) or 4% of the total worldwide turnover of the preceding financial year, whichever is higher.
The Cyber Security Directions are a set of guidelines issued by CERT-In on April 28, 2022. CERT-In is an agency under the Ministry of Electronics and Information Technology (MeitY) that is responsible for collecting, analyzing, and disseminating information on cyber incidents and providing emergency response services.
The Cyber Security Directions apply to all service providers, intermediaries, data centers, government organizations, and corporations that use information and communication technology (ICT) systems in India. The Cyber Security Directions define a cyber incident as any real or suspected adverse event in relation to cybersecurity that violates any explicitly or implicitly applicable security policy.
The Cyber Security Directions mandate that all such entities must report cyber incidents to CERT-In within six hours of noticing such incidents. The report must include:
The type and category of cyber incident
The date and time of occurrence
The impact and severity of cyber incident
The details of ICT systems affected
The remedial actions taken or proposed to be taken
The contact details of a representative of the entity for further information
The Cyber Security Directions also require that all such entities must maintain logs of all ICT systems for at least six months and provide them to CERT-In upon request.
The Cyber Security Directions do not specify any penalties for non-compliance with the reporting requirement. However, they state that failure to report cyber incidents may result in legal action under applicable laws.
Conclusion
These are just some examples of how different countries and regions approach data breach notification. There are many more variations and nuances across the world. Therefore, organizations that operate globally or handle personal data from multiple jurisdictions should be aware of the diverse and evolving legal requirements and best practices regarding data breach notification. They should also implement appropriate policies and procedures to prevent, detect, respond to, and recover from data breaches in a timely and effective manner.
Contact us if you need updating or creating incident management programs to ensure your organization complies with the regulations.
References
The OAIC website: https://www.oaic.gov.au/privacy/notifiable-data-breaches/
The Cyber.gov.au website: https://www.cyber.gov.au/threats/types-threats/data-breaches
https://www.breachrx.com/global-regulations-data-privacy-laws/ccpa-cpra-california-data-privacy-law/
https://www.clarip.com/data-privacy/ccpa-data-breach-lawsuit/
Art. 33 GDPR – Notification of a personal data breach to the supervisory authority - https://gdpr-info.eu/art-33-gdpr/
Art. 34 GDPR – Communication of a personal data breach to the data subject - https://gdpr-info.eu/art-34-gdpr/
Guidelines 9/2022 on personal data breach notification under GDPR | European Data Protection Board - https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-92022-personal-data-breach_en
Breach Notification | Data Protection Commission - https://www.dataprotection.ie/en/organisations/know-your-obligations/breach-notification
GDPR-Security and breach notification | Deloitte Switzerland - https://www2.deloitte.com/ch/en/pages/risk/articles/gdpr-security-and-breach-notification.html
Digital Personal Data Protection Act 2023 | Ministry of Electronics and Information Technology, Government of India (meity.gov.in)