Singapore’s Personal Data Protection Commission (PDPC) has announced that data breach notification will soon become mandatory in Singapore. However, not all breaches need to be reported. We have prepared this guide to aid businesses in understanding when, to whom and how to notify should they encounter a data breach.

As further guidance and details on the new requirements will be provided by PDPC in due course, we will follow up with an updated guide at the appropriate time.

What is a data breach?

 A data breach refers to any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data in an organization’s possession or under its control.

Continue Reading An FAQ guide to data breach notifications in Singapore

On May 7, 2019, Governor Jay Inslee of Washington signed HB 1071 into law, which strengthens the state’s data breach notification law. Washington joins the growing list of states that have recently amended their breach notification laws. Although Washington’s law was amended in 2015, the law was initially enacted nearly 14 years ago. This amendment, like those of other states, is designed to better align with the way in which consumers interact with technology today. As consumers share more information about themselves via the internet, states continue to place the onus on the companies and organizations collecting that information to guard against its loss or misuse.

Washington’s amendment expands upon the breach notification law in the following key ways:

  • First, it shortens the period between the discovery of a breach of consumers’ personal information (as defined by the law) and the time in which notification of the breach must be provided to those consumers from 45 days to 30 days. This change also applies to notifications to the attorney general, who now must be notified within 30 days after the breach was discovered, also down from 45 days (the requirement to notify the attorney general still only applies if notification must be provided to more than 500 Washington residents).
  • Second, the notification to the attorney general must now also include:
    • A list of the types of personal information implicated in the breach;
    • The timeframe of exposure, if known, including the date of the breach and the date of its discovery;
    • A summary of steps taken to contain the breach; and
    • A sample copy of the breach notification letter without any personally identifiable information.

In the event that more information becomes known as the investigation into the breach progresses, updates must be provided to the attorney general under the amended law.
Continue Reading Washington becomes the latest state to amend its data breach notification law

In February, we reported that South Dakota and Alabama were the last two U.S. states without data breach notification laws. Since then, both states have enacted data breach laws.

South Dakota governor Dennis Daugaard signed South Dakota Bill No. 62 into law on March 21, making it the 49th state to pass a data breach notification law. The law integrates contemporary principles found in other recently enacted state data breach laws. These principles include a broad definition of personal information—for example, employee ID numbers together with an access code or biometric data fall within the scope of the definition. The law requires companies to disclose a breach to affected consumers no later than 60 days from the date of discovery or notification of the security incident. Affected consumers include any South Dakota resident whose “personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.”

Continue Reading A complete quilt: South Dakota and Alabama are final two states to enact data breach laws

There are currently only two U.S. states that do not have a state data breach notification law: South Dakota and Alabama. Recently, South Dakota took a big step toward approving a data breach notification law. On January 25, 2018, the state’s Senate Attorney Judiciary Committee advanced the bill after a 7–0 vote, sending it to

The Information Commissioner, Ms Elizabeth Denham, has published her comments on the European Commission’s consultation on the draft implementing regulation (“Implementing Regulation”) of the Network and Information Security Directive ((EU) 2016/1148) (“NIS Directive”).

The Implementing Regulation sets out the further elements that need to be taken into account by digital service providers (“DSPs”) under the NIS Directive for managing the risks posed to the security of their network and IT systems from cybersecurity threats, and sets out further parameters to determine whether an incident has a ‘substantial impact’ on their service.

While the Information Commissioner recognises the need to increase security of essential services, she cautioned against the ‘setting [of] overly rigid parameters for the determination of an impact which is substantial’, as this may be undesirable and ‘could lead to a failure to report incidents’.

Background

The Information Commissioner published her comments on the basis that it is proposed that the ICO will be the competent national authority in the United Kingdom for the regulation of DSPs under the NIS Directive. DSPs are:

  • Cloud service providers
  • Online market places
  • Search engines

The NIS Directive details some of the factors which must be considered when assessing whether a breach has had a ‘substantial impact’. The Implementing Regulation expands on these factors and also provides specific parameters for when a notification will be required (e.g., if the incident caused material damage to a user which exceeds €1 million, or if the incident affected the provision of the services in two or more Member States).

Under the NIS Directive, a DSP will have to notify its competent national authority if it suffers an incident which has a ‘substantial impact’ on the service provided by a DSP.
Continue Reading ICO publishes response to consultation on European Commission’s implementing regulation to the NIS Directive

The Information Commissioners Office (ICO) has published a public consultation on changes to the notification process for organisations processing personal data. Currently data controllers are required to submit and annually renew their notification with the ICO, describing the purposes of their personal data processing according to standard definitions.

In an attempt to simplify the notification

This post was written by Cynthia O’Donoghue.

On 25 January 2012 the EC proposed a uniform legal framework for providing legal certainty on data protection. The most notable proposed change is that from a European Directive to a Regulation (the Proposed Regulation) to ensure directly enforceable implementation across all Member States. The Proposed Regulation