On 3 October 2017, the Article 29 Working Party (“WP29”) published draft guidelines on personal data breach notification (“Guidelines”) under the General Data Protection Regulation 2016/279 (“GDPR”). In this blog, we look at some of the key concepts that are considered in the Guidelines regarding the mandatory breach notification and communication requirements of the GDPR.

What is a personal data breach?

Article 4(12) of the GDPR broadly defines this as a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data. WP29 explains that security breaches can be categorised according to the following three principles:

  • Confidentiality breach: unauthorised or accidental disclosure or access to personal data
  • Integrity breach: unauthorised or accidental alteration of personal data
  • Availability breach: unauthorised or accidental loss of access or destruction of personal data

WP29 notes that an availability breach may be less obvious. Where, however, there has been a permanent loss or destruction of personal data, this will always qualify as an availability breach.

When do you need to notify the supervisory authority?

Article 33(1) of the GDPR requires controllers to notify a personal data breach to the supervisory authority within 72 hours after having become aware of it.

WP29 considers that a controller becomes “aware” when it has a reasonable degree of certainty that a security incident has occurred that led to personal data being compromised. For example:

  • Loss of unencrypted CD – controller becomes aware when it realises the CD is lost despite not knowing if unauthorised persons gained access to the data
  • Third party informs controller they have accidentally received a customer’s personal data – controller becomes aware as soon as it has been informed
  • Cybercriminal contacts controller with ransom demand after hacking its system – controller becomes aware immediately

Continue Reading Article 29 Working Party publishes guidelines on personal data breach notification

On August 17, 2017, Delaware Governor John Carney signed into law House Substitute 1 for House Bill 180, making the first significant amendment to Delaware’s data breach notification law since 2005.  The bill, scheduled to go into effect April 14, 2018, requires private organizations to maintain reasonable security policies and procedures; expands the definition of “personal information” to include medical information, biometric identifiers, and electronic signatures; and adds additional breach notification and credit monitoring requirements.  The bill comes on the heels of other amendments to data breach notification requirements by states such as California, Illinois, Nebraska, Tennessee, and Arizona.

Reasonable Data Security

Delaware’s amended data breach law now requires that any “person” that conducts business in Delaware and “owns, licenses, or maintains” personal information shall “implement and maintain reasonable procedures and practices” for the protection of personal information collected or maintained in the course of business.

Delaware now joins at least 13 other states with data breach laws that affirmatively require private organizations to maintain reasonable security procedures and practices.  Under Delaware’s amended data breach law and similar state statutes, private organizations may incur liability for failing to maintain adequate security controls, even where breach notifications to residents are not required.

Breach Notification and Credit Monitoring

Delaware’s amended data breach law also requires that organizations shall provide notice to Delaware residents that their personal information was breached or is reasonably believed to have been breached without “unreasonable delay,” and no later than 60 days after the discovery of the breach, unless a shorter notification period is required by federal laws (e.g., HIPAA or the GLBA), or law enforcement requests a delay. Organizations are not required to provide notice if an investigation reveals that the breach was unlikely to result in harm to the affected residents.

The amended law also does not require notification for the breach of encrypted data, unless the breach includes an encryption key that the organization reasonably believes could render the encrypted information readable or useable.

In addition, the amended law now requires organizations to provide one year of credit monitoring to Delaware residents whose Social Security numbers may have been exposed as part of the breach. This provision mirrors similar provisions in California and Connecticut.
Continue Reading Delaware Amends Data Breach Notification Law to Require Reasonable Data Security and Expand the Scope of Personal Information Requiring Notice

Earlier in February, the Executive Office of Management and Budget (“OMB”) issued Memorandum M-17-12 to federal agencies to set out guidelines and procedures for preparing for or responding to a breach involving the release of personally identifiable information (“PII”). The OMB’s suggested framework specifically aims to “[assess] and mitigate the risk of harm to individuals potentially affected by a breach,” and to provide “guidance on whether and how to provide notification and services to those individuals.” The implementation of common federal agency standards and processes is oriented to not only streamline the way agencies deal with the release of PII, but to also ensure that the federal government is capable of handling data breaches in an effective and efficient manner.

Among the more notable requirements in the guidelines are those imposed on federal contractors who collect or maintain federal information, or who use or operate information systems on behalf of a federal agency. The OMB outlines terms for agencies to incorporate into federal contracts and cooperative agreements, including requiring that contractors and subcontractors:
Continue Reading OMB Federal Agency Data Breach Guidelines – Considerations for Industry

On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for many companies to identify in these pronouncements.

Although the Guide is not a regulation, the Commission has historically used such guidance to help signal where its enforcement efforts might focus as it evaluates companies’ conduct. The introduction suggests that the FTC considers following its advice to be at least one way to “make smart, sound decisions.”

The Guide outlines tasks for companies affected by a breach:

  • Secure Your Operation
  • Fix Vulnerabilities
  • Notify Appropriate Parties

Continue Reading FTC’s New Guidelines Provide Agency View on Data Breach Response

Georgia Attorney General Sam Olens has come out in support of federal data breach preemption as a more realistic way to ask companies to comply with regulatory requirements in the wake of a breach or data loss incident.  His statement comes on the heels of California Attorney General Kamala Harris’ report that the burden on companies to comply with the patchwork of state data breach laws is too heavy, and that state laws should be harmonized to lessen that burden.

Speaking at the National Association of Attorneys General summit May 3, Olens asserted, “I frankly think it’s absurd that there are 30 or 40 different state laws on cybersecurity and breach.”

Rather than requiring companies that have been hacked to report to 30 different AGs with 30 different forms, Olens said, there should be a standard form that both the federal government and the states use.  He pointed out that treating hacked companies as the bad guys right off the bat and imposing the immense burden of such rigorous and varying compliance is counterproductive.
Continue Reading Georgia Attorney General Supports Federal Data Breach Standard

Businesses scrambling to comply with the dozens of varying state laws governing data privacy and security breaches may have a new ally in California Attorney General Kamala Harris, but they shouldn’t expect her to relax any standards.

In her introduction to the 2016 California Data Breach Report, Harris addressed the concerns of many who have pointed out the inconsistencies and wildly different requirements for handling a breach among the states. Rather than a federal breach law that would preempt the laws of forty-seven states — including the very protective standard in California – the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, Harris proposed that states come to an agreement on certain key points.
Continue Reading California AG Proposes State Consensus on Breach Laws

U.S. tech giants, like Google and Facebook, found themselves caught between the European Parliament and the European Commission as disagreements continue as to whether Internet service providers should be included within the definition of ‘market operators’ in the Proposed Directive on Network and Information Security (IP/13/94) (the ‘Directive’). Currently, the EU Commission would like to see both search engines and social networks included, whereas the European Parliament prefers a common European framework focusing on critical infrastructure only, such as financial services and power stations.

The EU Parliamentary view is that broadening the scope of the Directive risks undermining the aim of the law which is to protect key or critical services, whereas including ISPs, and as a consequence some U.S. tech giants, would require the tech giants to report global cyber attacks to each of 28 member states’ respective regulators. Those arguing against ISP inclusion argue that they are already highly regulated, and that many of the requirements contained in the proposed Directive are already provided for by commercial contracts and service level agreements, and that the introduction of additional legislation would create added complexity and have a negative impact on innovation within the tech industry.
Continue Reading Tech giants caught between EU disagreements on scope of Proposed Network and Information Security Directive

On April 17, advocates in support of a federal data security and breach notification law achieved a victory when the House Energy and Commerce Committee passed a bill supporting national legislation. The proposed Data Security and Notification Act of 2015 (the “Act”) seeks to codify uniform regulations governing consumer personal information throughout the United States.

On April 13, the Washington State Senate unanimously passed an amendment to the state’s data breach notification law. The amendment, which was requested by Washington Attorney General Bob Ferguson, and which we discussed in this previous post, passed the state house of representatives in March and is now awaiting the governor’s signature. The law

The federal government may be pushing a cybersecurity and data privacy agenda, but that doesn’t mean that the states are taking a back seat. The state attorneys general are maintaining their focus on issues relating to privacy and data security and expanding the scope of that focus to address the ever-evolving nature of those