Data breach notification now a component of privacy laws everywhere
Since the 1970s, European countries have been ahead of the US in adopting and enforcing privacy laws in every area except for data breach notification. On this subject, California led the way with its 2003 data breach law which was followed by the other states over the next decade and more, with inconsistent provisions about who to notify and when. But these laws were generally isolated from a wider set of rights and human rights frameworks which were the norm in Europe and some laws elsewhere.
The 1995 European Community Data Protection Directive Art. 17 covered what organisations should do regarding data security. They should “implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access …” The controller must “choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.”
But there was nothing specific about what controllers or processors should do in the event of a data breach. By the time of the GDPR’s adoption in 2016 and full application in May 2018, the message from the US had reached Europe that data breach notification to the Supervisory Authorities and the affected individuals could and should play a role in encouraging data controllers and processors to take more seriously the protection of the personal data in their care.
As a result, over the last three years, in nearly every month, there have been reports of theft or losses of personal data from organisations as a result of inadequate security provisions, staff training and cyber defences. In this edition, we report that Ireland’s Data Protection Commission stated earlier this month that a dataset, apparently sourced from Facebook, has appeared on a hacking website and contains records of 533 million individuals.
On 9 April, the Netherlands’ DPA fined Booking.com €475,000 for reporting the breach too late. Data breaches must be reported within 72 hours. Booking.com was informed of the data breach on 13 January 2019, but did not report it to the DPA until 7 February, which was 22 days too late. The breach involved personal data of over 4,000 customers. Credit card information of nearly 300 people was exposed. In 97 cases, the criminals obtained the cards’ PIN codes as well.
Data losses can occur for multiple reasons, as the result of external attacks, of malicious insiders, and/or the result of naïve downloading of unofficial apps and programs to help staff carry out a task in a way quicker or easier than going via the authorised IT/data security approved channels.
The EDPB’s practical guidelines
The European Data Protection Board (EDPB) has published very useful draft guidelines in the form of Practical Scenarios for Data Breach Notification Analysis Under the GDPR. This document is highly practical because it “reflects the common experiences of the Supervisory Authorities of the EEA since the GDPR became applicable. Its aim is to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.”
The EDPB draft guidelines presents 18 helpful examples in 31 pages of how data controllers should “handle data breaches and what factors [they should] consider during risk assessment.” The example scenarios are presented in six broad categories:
- ransomware attacks
- data exfiltration attacks
- internal human risks, such as employee errors and former employee misconduct
- lost or stolen devices and paper documents
- inadvertent disclosures, such as personal data sent by post by mistake, and
- social engineering, such as identity theft and email exfiltration.
Data breach notification applies now in both free market and communist societies
Such rules are now commonplace in every continent because, while a human right framework for privacy laws is culturally determined, everyone (except the criminals) can agree that the theft and loss of personal data is wrong and damages the affected organisation’s reputation and that of the society in which it occurs.
That is why even the most entrepreneurial societies have strict rules on data security, such as in Singapore, where notifiable data breaches must now be notified to the Personal Data Protection Commission and the affected individuals. The new Data Breach Notification Obligation was adopted after a series of major data leaks that affected millions of Singaporeans.
In Communist Vietnam, similar provisions apply. Vietnam has a data breach notification requirement, for companies covered by the Law on Cyber Security of 2018, requiring prompt notification of data breaches to the Cybersecurity Department of the Ministry of Public Security, and for companies to notify users directly of such breaches.
PL&B webinars and podcasts
We continue with our series of online events, including Meet the South African and Mauritius Regulators and Professor Greenleaf’s Asia webinars and Privacy Paths podcasts (pp.1 and 20). We look forward to meeting you there and, pandemic permitting, at live events later this year.
Stewart Dresner, Publisher
International Report 170
Singapore DP law amendments: Practical implications
Data breach notification becomes mandatory. By Grace Chen, privacy lawyer, and Dr Clarisse Girot of the Asian Business Law Institute in Singapore.
Vietnam: Data privacy in a communist ASEAN state
As Vietnam issues a draft data protection decree, Graham Greenleaf highlights the role of a DPA, data localisation requirements and potential strong fining power.