If a tree falls in the woods, but no-one sees or hears it, did it ever really happen? Tough question. Here’s another one. If a data breach occurs, but the data subject does not know of it, did it ever really happen? Data breach notification regimes exist to avoid this particular philosophical question. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt explains what is a notifiable personal data breach, and how to comply with those notification obligations.
What is a notifiable personal data breach
A personal data breach is the unauthorised access, loss, use, processing, destruction, or alteration of personal data. Some aspects of this description may vary according to each jurisdiction, but this broadly captures the key elements of a personal data breach. It is broader than an intentional act such as hacking by a cybercriminal. Also, unauthorised access to personal data is a breach, even if no personal data was lost or destroyed in the breach. The key elements are the description of the event or its consequence, not its cause or the intention of the person that caused it.
Not all personal data breaches are notifiable to privacy regulators. In fact, in Hong Kong there is no statutory obligation to notify personal data breaches to the Privacy Commissioner as yet. This is expected to change once announced changes to the laws are implemented.
Notification is an obligation required under specific laws and regulations. The obligation to report is a legal question for which legal advice is needed. This must be assessed on a case-by-case basis.
A personal data breach must reach a threshold of harm before it becomes notifiable to a privacy regulator. So, a personal data breach should be notified if there is a material and real risk of harm to data subjects. The factors to take into account in this assessment include:
- the type, sensitivity and amount of personal data in the breach
- the security of the personal data involved
- the number of affected data subjects
- any special characteristics of the personal data breach, the data controller/user or the data subjects.
To whom should notification be given
The two key classes of persons to consider notifying are privacy regulators and the data subjects. Different considerations arise for each of them. In general, a lower threshold triggers the obligation to notify the privacy regulator. For instance, under GDPR in the EU, all personal data breaches must be notified to the competent authority, except if the breach is unlikely to result in a risk to the rights and freedoms of individuals. However, notification to data subjects is only required if the breach is likely to result in a high risk to the rights and freedoms of individuals. The threshold for the regulator is to notify when there is any risk – erring on the side of notification. The threshold for the data subject is to notify when there is a high risk.
This demonstrates a policy of encouraging notification to privacy regulators. This allows privacy regulators to be involved and provide guidance from an early stage when a personal data breach occurs. This also provides privacy regulators with more accurate information about the data breach landscape.
More humane concerns arise in respect of notifications to data subjects. Certain data subjects may be in a vulnerable situation (e.g. elderly or incapacitated), or maybe ill-equipped to gauge and understand the consequences of the personal data breach. Nonetheless, when the level of risk requires, the obligation to notify data subjects will be triggered.
Privacy regulators and data subjects are not the only categories of persons to whom a notification may be needed. Others include:
Sector-specific notifications: This is common in regulated sectors such as financial services or professional services. This may also arise in the healthcare and pharmaceutical industries.
Contractual obligations: There may be contractual obligations to notify other businesses. This will be the case for data processors, who are invariably under a contractual (and sometimes statutory) obligation to notify data breaches to its data controller/user. However, contractual obligations to notify personal data breaches also arise in a wide range of commercial contracts.
Insurance: If the business has taken out cybersecurity insurance, then there will be an obligation to notify the insurer as soon as practicable for the policy coverage to be triggered.
Risk mitigation notifications: An early assessment of the personal data involved in a personal data breach may make it prudent to notify other persons in order to mitigate the harm to data subjects and to minimise the potential loss or liability involved. An example of that might be notification to banks and credit card issuers to mitigate the risk of credit card fraud.
The content of a personal data breach notification must meet the minimum requirement set out in the corresponding law for that notification. This is a matter for which legal advice is needed. The content of the data breach notification will form the basis on which subsequent inquiry and investigation will follow.
The content for a data breach notification to a privacy regulator will typically include:
- description of the data security incident
- cause of the personal data breach
- type and amount of personal data involved
- type and category of data subjects involved
- assessment of the likely consequences of the data breach and the risk of harm
- remedial action taken by the data user to mitigate the risk of harm
- action that data subjects should take
- name, title and full contact details of the person responsible for engaging with the privacy regulator
The content of a data breach notification to a data subject will contain slightly less detailed information, and will typically include:
- description of the likely consequences of the data breach
- description of the measures taken or proposed to be taken to address the breach, including mitigation for adverse consequences
- name, title and full contact details of the person responsible for engaging with data users
The content of data breach notifications to data subjects must be written in plain and simple terms.
The general obligation in respect of personal data breach notifications to privacy regulators is that the notification must be given without undue delay and as soon as practicable. Many jurisdictions impose specific timeframes. These must be checked in respect of each set of laws to ensure that notice is given within the prescribed period. For instance, if the relevant privacy regulator is a supervisory authority in the EU, then businesses must notify the relevant supervisory authority within 72 hours of becoming aware of the personal data breach. In Hong Kong, the proposed data breach notification regime will include an obligation to notify the Privacy Commissioner within five business days.
These aggressive notification timelines are intentionally set to help drive the adoption by businesses of proper cybersecurity systems, policies and procedures, and encourage ethical accountability in respect of information security. A business will not be able to adequately deliver the content needed in the notification unless it has systems that promptly deliver accurate and necessary information, and policies and procedures to outline how to respond swiftly when it learns of a personal data breach.
The often very short notification timeline again underlines the importance of engaging external legal counsel in advance of any notifiable personal data breach. This will ensure that external legal counsel will be ready to act immediately and to assist with the preparation of the personal data breach notification as soon as instructions are given. Otherwise, delays may arise by virtue of the normal client onboarding processes required by law firms (and all professional service providers).
Data breach notifications are a very serious part of the data breach response plan. On the one hand, the notice must meet a minimum legal compliance standard in most jurisdictions. However, the notification will set the tone for many other elements of the data breach response. It will foreshadow the nature of enquiry and investigation by regulatory bodies, and start the public-facing part of the data breach response. An ill-conceived, inaccurate or disproportionate notification of a personal data breach may result in more harm to data subjects, and increased liability and reputational damage to the business.
Data breach notifications form part of a communication strategy. One of the challenges in breach notifications is to ensure consistent, accurate and complete communication of information to all persons that need to be notified. This applies on a number of levels. Communications certainly have a legal component, particularly with regulators. However, the subject of communication management is broader than just regulatory reporting obligations. The engagement of public relations and communication consultants with experience in crisis communications is often a necessary, prudent and helpful step.
It is important to involve external legal counsel from the start. In the course of its legal advice, external legal counsel may engage external technical experts, gather information about the breach and provide legal advice. This early involvement may help legal professional privilege to attach to confidential internal and external communications about the personal data breach.
Data breach notifications are primarily a legal matter for which legal advice is needed. We, at Tanner De Witt, are here to help you.