02/03/2018
Australia recently became the sixth country in Asia to require some form of mandatory notification to the relevant authorities and/or affected individuals in the event of a data breach. In this article we consider the genesis of data breach notification laws in the US, the similarities and differences across affected countries in Asia Pacific and how it compares to the EU’s General Data Protection Regulation (GDPR) which comes into effect in May this year.
The picture that is emerging suggests that mandatory data breach notification laws are spreading quickly, perceived to be both “best practice” and politically popular. It also seems likely that consensus on the form of future mandatory notification laws will draw heavily from the US, EU and Australian models.
Born in the USA
The first mandatory data breach notification law was passed in California in 2002, in response to an increasing number of incidents where personal information of consumers and employees were being accessed by hackers, accidentally published to the internet, or lost on misplaced storage media. The law required government agencies and businesses in the state to provide written notice to California residents if they became aware that an unauthorised person had obtained access to their personal information. The law only applied to unencrypted electronic data.
The Californian model was quickly adopted by other US states. Today, 48 US states, the District of Columbia, Guam, Puerto Rico and the US Virgin Islands have mandatory data breach notification laws (Alabama and South Dakota are the two states that have not passed such laws). However, these state laws vary significantly in the types of information they cover, which breaches are notifiable, and how notice must be provided. In 2012, the Obama administration proposed a national law that would provide a single set of rules for data breach notification across the US; however, this effort was unsuccessful.
Asia Pacific and beyond
From the US, mandatory data breach notification laws have spread worldwide. In Asia-Pacific, six jurisdictions now have such laws: Australia, South Korea, the Philippines, the mainland China, Indonesia and Taiwan. However, only the first three of these jurisdictions have detailed notification requirements. Mainland China, Indonesia and Taiwan have a basic requirement to notify data breaches, but with little or no detail about how and when a breach must be notified.
Singapore recently introduced a new Cybersecurity Act aimed specifically at 11 key industry sectors, which requires the owners of designated “critical information infrastructures” to report cybersecurity threats or incidents which affect those infrastructures to the Singapore Cyber Security Agency.
In Australia, the recent amendments to the Privacy Act requires federal government agencies and large private sector businesses to notify data breaches which are likely to cause serious harm to any individual to the Office of the Australian Information Commissioner and to affected individuals.
Arguably the biggest development in mandatory data breach notification laws in 2018 will be the new European Union General Data Protection Regulation (the “GDPR”), which comes into effect in May. The GDPR will introduce mandatory notification requirements for every country in the EU. In addition, the GDPR has extraterritorial effect, and applies to any organisation outside the EU who is offering goods or services to, or monitoring, individuals located in the EU.
How serious is it? Setting a threshold
Some countries require all data breaches of any size to be notified; others limit notification to large or serious breaches.
As discussed in a previous article, in Australia, a data breach will be notifiable if a reasonable person would conclude that the unauthorised access or disclosure of personal information is likely to result in serious harm to any of the individuals to whom the personal information relates. “Serious harm” could include physical, psychological, emotional, economic or reputational harm.
The Philippines has a similar threshold. Under Philippine law, breaches are only notifiable if they involve sensitive personal information or information that may be used to commit identity fraud. The Philippines law uses the standard of a “real risk” of serious harm, rather than a likelihood of serious harm as in Australia.
By contrast, South Korea, Mainland China, Indonesia and Taiwan require that all data breaches be notified to affected individuals, regardless of the type of breach or potential for harm - there is no minimum standard of seriousness. Surprisingly, South Korea only requires data breaches to be notified to government if the breach involves more than 10,000 records. Taiwan does not require that authorities be notified at all.
Under the GDPR, a data breach must be notified to the relevant data protection authority if it is “likely to result in a risk to the rights and freedoms of individuals”. A data breach must also be notified to affected individuals if that risk is high. There is currently little guidance as to when the consequences of a data breach will be considered to pose a risk to the rights and freedoms of individuals. Presumably, financial, psychological, emotional, reputational or physical harm to an individual could all be said to interfere with that individual’s rights or freedoms. Therefore, in practice, “likely to result in a risk to the rights and freedoms of individuals” may be similar to, or perhaps broader than, the Australian standard of “likely to result in serious harm”.
How long do I have? Timeframes for notification
The Australian law does not prescribe a specific timeframe for notification. It requires that an organisation which suffers or reasonably believes it has suffered an eligible data breach must notify the Office of the Australian Information Commissioner and the affected individuals “as soon as practicable”.
This is consistent with the approach in most jurisdictions, which variously require that data breaches be notified “without undue delay”, “without unreasonable delay” or “expeditiously”. Many jurisdictions also allow a notification to be delayed to avoid prejudicing a criminal investigation or for other public policy reasons.
The Australian law does specify that an organisation which suspects it may have suffered an eligible data breach must take all reasonable steps to investigate whether it has in fact suffered an eligible data breach within 30 days. However, this is a “reasonable efforts” timeframe rather than an absolute obligation; and once an organisation determines that an eligible data breach has occurred, it reverts to an obligation to notify the regulator as soon as practicable.
In the US, only three of the 48 States with a mandatory notification law impose a specific timeframe for notification. Florida requires a breached entity to notify within 30 days, while Ohio and Wisconsin set a threshold of 45 days.
The EU model is unique in that it requires that data controllers notify the regulator of a data breach within 72 hours of becoming aware of the breach, where that is feasible. Otherwise, the breach must be notified without undue delay.
This requirement has raised considerable concern within industry, because 72 hours is a very tight timeframe in the context of a data breach, particularly if a breach occurs outside office hours. It would not be uncommon for a business to still be conducting remediation efforts at the 72 hour mark; it may not even have started investigating the scope and cause of the breach. In a study of 94 major data breaches over the past decade, the Commonwealth Bank of Australia found that the median time between discovery and public announcement of a data breach was 15 days.
However, the GDPR also specifies that an entity can provide notification of a breach in several phases as information becomes available, and it seems likely that many controllers in the EU will issue little more than a holding statement as their initial 72 hour notification.
What do I need to say? The contents of the notice
The requirements for the content of the notice are broadly consistent across jurisdictions, with only minor variations.
In Australia, the notice must set out the identity and contact details of the organisation, a description of the breach, the types of personal information that were disclosed and recommendations about the steps that affected individuals should take in response to the breach.
The Philippines requirements are very similar to those in Australia: the notice must set out a description of the breach, the types of personal information that were involved and the measures the entity is taking in response to the breach. In South Korea, the requirements are the same except that the notice must also contain contact details for the breached entity.
Under the GDPR, the notice must contain a description of the breach (including type and numbers of individuals and records affected), provide contact details for data protection officer or contact person, describe likely consequences of breach and describe remedial and mitigation measures taken/proposed.
Conclusions
Two key points emerge from a comparison of mandatory data breach notification laws.
The first is that mandatory data breach notification laws are spreading quickly. Mandatory notification is not only seen as “best practice” for any modern economy, but is highly politically popular. A survey conducted by the Office of the Australian Information Commissioner when data breach notification laws were proposed in Australia found that 91% of Australians would want to know if a company lost their personal information; it seems likely that a similar level of support for mandatory notification would exist in most countries.
The second is that it seems likely that a consensus will begin to emerge as to the form that mandatory data breach notification laws should take, based on the US, EU and Australian models. As the number of data breaches multiply, it seems likely that most jurisdictions will opt for some kind of “threshold”, so that only serious or large data breaches need be reported. It also seems likely that lawmakers will avoid setting explicit timeframes for notification, instead requiring that breaches be notified as quickly as practicable after they are discovered. The notice requirements are already very similar across jurisdictions, and it seems likely that this will continue to be the case.
This means that all businesses – whether they are currently subject to mandatory notification requirements or not – should think about their plans for responding to a data breach and ensure that those plans make provision for notifying affected individuals and regulators in accordance with local law.
As part of this planning, businesses should consider:
Kennedys has experienced data privacy and cyber liability teams who can answer your questions about mandatory data breach notification laws and help your business put a data breach response plan in place.
