What about sector specific notification requirements?
In addition, many jurisdictions also include sector specific notification requirements. These additional data breach notification requirements apply to organisations based on the sectors in which they operate. They can be imposed under national, state or trans-national regulatory regimes. While some are specific to personal data breaches, others apply more generally to security breaches or other events that are likely to impact on an organisation's viability or reputation.
One example already noted is the Californian Health and Safety Code, which requires mandatory notification of data breaches in respect of medical information. It's important for organisations to be aware of additional personal data protection and personal data breach notification obligations that may apply to them based on the sectors in which they operate. Key sectors that commonly include additional requirements impacting on personal data breach notifications are as follows.
There are a wide range of notification and regulatory obligations that are imposed around the globe on financial sector organisations. These include obligations as part of general industry wide prudential and regulatory standards, or as part of the specific conditions of financial services operating licenses. Typically these measures are aimed at ensuring a stable and viable financial sector.
An example of these type of requirements is reflected in SUP 15.3.1 of the UK's Financial Conduct Authority (FCA) Supervision Manual. This rule requires that a regulated firm notify the FCA immediately if it becomes aware, or has information which reasonably suggests, that any matter (that has occurred, may have occurred, or may occur in the foreseeable future) could have a significant adverse impact on the firm's reputation. As seen with recent high profile personal data breaches, there can be significant impacts from personal data breaches on an organisation's reputation, particularly where it is viewed by privacy regulators or the public that appropriate security procedures were not in place.
Similar notification obligations apply under the Corporations Act 2001 (Cth) in Australia in the circumstances where a personal data breach may demonstrate that a financial services licensee is not competent, does not have adequate resources to provide services, or does not have adequate risk management services. Depending on the scope of the personal data breach, similar requirements may also apply more generally for all publicly listed companies to provide disclosure to stock markets.
As noted above, medical information is one area where legislation has been extensive in its protection of personal data and accordingly there are also additional personal data breach notification obligations. Under the Californian Health and Safety Code, the notification requirements that apply to medical information data breaches are more expansive than those under to general personal data breach, and also allow for the Californian Attorney-General to issue significant penalties where there has been a breach of the code.
In Australia, there are also additional privacy obligations that apply to organisations holding health information, with the small business exemptions not applying under the Privacy Act to organisations that provide a health service and hold health information (other than in an employee record). This has the effect of expanding mandatory personal data breach notification obligations. There are also additional personal data breach notification requirements under the My Health Records Act 2012 (Cth) for certain organisations with access to the Australian Government's My Health Records system, requiring notification of unauthorised collection, use or disclosure of health information included in a healthcare recipient’s My Health Record, or of circumstances that compromise or may compromise the security or integrity of the system.
A number of countries have implemented data retention obligations for telecommunications providers, which has emphasised the need to regulate how such records are retained. In Australia, the definition of personal information under the Privacy Act has been extended in respect of carriage providers and internet service providers under section 187LA of the Telecommunications (Interception and Access) Act 1979 (Cth), to include within the definition of personal information the relevant information retained under the data retention scheme. One impact of this change is to extend the scope of mandatory personal data breach notification in respect of these additional records.
There are often additional requirements applied to the protection of personal information that is held as part of government data. An example of this is seen above in respect of the My Health Records, but also applies to other information such as tax file records. For example, in Australia the mandatory personal data breach notification requirements under the Privacy Act extend to additionally cover tax file number recipients. This extends the notification obligations to organisations that are in possession or control of records containing tax file number information.
So there are lots of regulations, but what should I do about it?
The obligations for personal data breach notifications are complex, vary between jurisdictions and within jurisdictions based on the type of information that organisations collect or have access to. However, there are some key steps that should be taken by all organisations in order to manage their readiness for a personal data breach and ensure that appropriate systems are implemented to meet both their personal data breach notification obligations and more general personal data security obligations.
All organisations handling personal information should:
- ensure that they have a clear understanding of the type of records that are held. This includes having a clear record of how information has been obtained, recording any conditions of use or consents that have been given by relevant individuals;
- identify and map the applicable regulatory requirements against the information that is held to give the organisation a clear sense of what requirements apply, both to storage and access as well as in the event of a personal data breach; and
- prepare a personal data breach plan, identifying as part of a risk assessment:
- the most likely causes of a personal data breach;
- measures to eliminate or mitigate the impact of the breach before they occur (which may include internal protections such as encryption or firewalls);
- the process for responding to a breach to further mitigate its impact; and
- the process for notifying relevant regulators and individuals in accordance with regulatory timeframes.
Typically this process will require organisations to commission a data audit in order to consolidate information on existing information, as well as conducting regular compliance audits to ensure the required processes are being complied with.
In February 2018 mandatory personal data breach notification laws were introduced in Australia as part of amendments to the Privacy Act 1988 (Cth), requiring organisations to notify eligible data breaches to both the impacted individuals and the Australian Information Commissioner. The introduction of mandatory personal data breach notifications reflects a growing global trend towards giving individuals more control and awareness over how organisations that access their personal data behave. This is also reflected in the recent introduction in Europe of the General Data Protection Regulation (GDPR), and the recent Californian Consumer Privacy Act of 2018, introducing many GDPR like rights for individual consumers in that state from 2020.
The reality for organisations handling personal data is that these laws often reference vague concepts, which may require that different standards of protection and breach notification be applied in each country or region, while potentially exposing the organisation to very significant financial penalties for non-compliance. This makes a difficult task for compliance officers to ensure that relevant regulatory requirements are met. Further complicating the task is the fact that the GDPR (and indeed other privacy regulations) can apply without there being an obvious link to an organisation's day-to- day operations, simply by virtue of where personal data is stored or processed, or where customers reside.
Below is an overview of requirements for notification of personal data breaches in some key jurisdictions.
What is a personal data breach?
While each country or region has its own legal definition, a personal data breach is generally any circumstances where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, including where such information is lost or unavailable for a period of time.
While difficult to measure the global number of personal data breaches, the reported number seems to be rising, along with greater media attention and the potential for the organisations involved in such breaches to suffer significant public backlash, as well as incurring regulatory fines. For the Jan-March 2018 quarter there were 957 personal data breaches notified to the UK Information Commissioner's Office under the applicable UK regulations. While potentially impacted by greater recent awareness, this reflected a 17% increase over the previous quarter, with the health sector having the highest incident of breaches (a total of 121). These figures also demonstrate a prevalence of preventable accidental disclosure, with approximately half of all the notified breaches being caused by a combination of:
- data posted or faxed to an incorrect recipient;
- data sent by email to an incorrect recipient;
- loss or theft of paperwork;
- failure to redact data; or
- failure to use bcc (blind copy) when sending emails to a bulk mailing list.
A total of 96 cyber security related incidents were notified in the same quarter (also a 31% increase on the prior quarter).
Australia's own mandatory personal data breach notification requirements have only been in place since February 2018, but in the first report to the end of March 2018, there were a total of 63 breaches notified to the Information Commissioner. Similar to the figures from the UK, the health sector represented the highest incidence of personal data breaches. The majority of personal data breaches involved disclosure of an individual's contact information (78%). Malicious or criminal attacks made up 28% and human error 32% of the notifications.
While often the focus is on malicious outsiders, what is clear from the reported data is that a significant proportion of personal data breaches occur because an organisation does not have appropriate procedures in place to manage personal data. Such procedures can prevent both accidental disclosure and lapses in security that allow for malicious attacks. Lack of appropriate procedures to secure personal data is compounded where an organisation has also failed to implement a personal data breach response plan, with the goal of putting in place clear processes to respond immediately to and mitigate the impact of a personal data breach, as well as complying with applicable notification requirements.
What types of personal data breach need to be notified?
Each country or region has its own regulations, with different obligations on personal data breach notification. These vary from imposing very strict timeframes on notification with significant financial penalties, to having only voluntary disclosure requirements. It's important for organisations that have customers outside of Australia, or that use international suppliers or data centres, to have an understanding of the different regulatory arrangements that may apply, and to put in place appropriate processes to prevent breaches, and respond in the required timeframes.
The key personal data breach notification requirements in a number of jurisdictions where Australian organisations commonly operate or are otherwise regulated as part of their supply chain are:
Australia: Privacy Act
The Privacy Act requires the notification of eligible data breaches to both individuals and the Information Commissioner. However, the definition of eligible data breach is limited, by reference to data breaches where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.
Unlike the position in the EU noted below, Australia does not have a set timeframe within which eligible data breaches must be notified. Rather, the entity must prepare a statement of the breach and provide it to the Information Commissioner as soon as practicable after the entity becomes aware of an eligible data breach, as well as notifying individuals as soon as practicable after preparing the statement (unless a specific exception applies).
Serious harm is not defined, but relevant factors are listed, including the sensitivity of the information, the effectiveness of applicable security measures (such as encryption) and who has obtained access. There are also exceptions to the requirement to notify where an entity takes remedial action before any serious harm is caused.
One further aspect that distinguishes the Australian requirements from the others examined below is that notification obligations are imposed jointly on all relevant entities that hold the record of personal information (this may include an outsourced service provider). Thus relevant entities need to determine between them who should make the required notifications. Typically other regulatory regimes impose the obligation to notify on the entity with control/ownership of the personal data, and with organisations that are processing data on their behalf (such as service providers) having a secondary obligation to ensure the controller/owner is able to make the required notifications.
European Union: GDPR
The requirement for notification of personal data breaches under the GDPR is different to that applicable to personal data breach notifications in Australia. A split test is applied under the GDPR to determine if a personal data breach must be notified, with a different standard applying when determining whether notification is required to the supervisory authority and/or the affected individual:
- the data controller must notify a breach to the competent supervisory authority of a personal data breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons; and
- where there is a likely high risk to the rights and freedoms of natural persons, the GDPR requires the data controller to communicate the breach to the affected individuals.
The GDPR highlights that a personal data breach can result in a range of significant adverse effects on the rights and freedoms of natural persons. This is identified broadly to include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals.
Compared to the Australian requirement, the notification obligations under the GDPR are significantly broader with regard to the scope of personal data breaches that need to be notified to supervisory authorities, requiring that each breach be notified unless it is assessed and found unlikely to cause any impact to the relevant individual's rights noted above. Although the requirement to notify individuals refers to a "high risk", which is more onerous than in Australia, the rights noted above are more broadly expressed and again may extend the obligation to notify individuals under the GDPR beyond what would be considered "serious" in Australia. This broader application likely stems from the greater emphasis under European law on an individual's fundamental right to protect their privacy.
The GDPR requires that the notification to the supervisory authority and affected individuals be made without undue delay. This is similar to the Australian requirement, but in the case of supervisory authorities, there is an additional requirement that notification be made, where feasible, no later than 72 hours after the data controller becomes aware of the breach. Although qualified, it's clear from the guidance issued that the 72 hour requirement is the normal expectation and there would need to be exceptional circumstances that prevented the timeframe from being met. As noted above, it's also the case that the 72 hour period commences when a third party processing data on behalf of a data controller becomes aware of the breach, with the data controller responsible for ensuring that procedures are in place to allow the timeframe to be achieved.
California:* California Civil Code 1798.82 and Cal. Health and Safety Code 1280.15
While consumer protection type laws extend limited protection to personal data at a national level in the United States and the US Congress has recently debated a number of data breach notification requirements, notification of personal data breaches is still substantially regulated at the state level. Most states have introduced some form of personal data breach notification obligations. California has regulated this through both a general personal data breach notification law under its Civil Code, and also through specific laws that require notification of data breaches involving medical information.
California's Civil Code requires a business or state agency holding computerised data that includes personal information to notify any Californian resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorised person. If more than 500 individuals are to be notified, a sample of the breach notification must also be submitted to the Californian Attorney General.
The disclosure must be made in the most expedient time possible and without unreasonable delay. Similar to the GDPR, the notification obligation also applies to the entity that owns or licenses the data that includes personal information, with an obligation to notify the owner or licensee immediately for entities maintaining data they do not own that includes personal information.
While this notification requirement applies very broadly, without reference to the harm caused by the data breach, it is however narrower than under the Australian and EU regulations because the definition of personal information is limited. Personal information under the Californian Civil Code must contain the individual's:
- first name (or initial) and last name, in combination with specific additional identifying elements; or
- user name or email address in combination with a password or security question permitting access to an online account.
In comparison, the separate data breach notification laws applying to medical information under the Californian Health and Safety Code apply generally to a data breach that involves medical information, defined more broadly to include any individually identifiable information, in the possession of or derived from a provider of health care, etc.
* California has recently passed the California Consumer Privacy Act of 2018, which supplements the existing laws, introducing broad rights for consumers relating to the protection of their rights to privacy similar to the rights in the EU's GDPR. The laws do not commence until 2020 and further regulatory measures are expected that may give clarity to how they will impact on existing data breach notification obligations.
Singapore: Personal Data Protection Act amendments
The protection of personal data is regulated in Singapore under the Personal Data Protection Act, but currently there are no mandatory notification requirements in place and only voluntary guidelines apply.
The relevant regulator is the Personal Data Protection Commission (PDPC), who in February 2018 released a response to consultations for the introduction of mandatory data breach notification laws in Singapore.
The intended scope of the new laws will require notification to both affected individuals and to the PDPC of any breach that is likely to result in significant harm or impact to the individuals to whom the information relates. There will be additional notification required to the PDPC (regardless of impact on individuals) for breaches of "significant scale". While the consultations proposed this additional notification would be required where more than 500 individuals were impacted, based on responses, the PDPC has decided not to implement a strict number.
The proposed timeframe for notification under the Singaporean regulation will also reflect that in Australia (referencing as soon as practicable), but will adopt the 72 hour requirement from the GDPR in relation to notifications to the PDPC, also adopting the obligation for processors to inform the relevant data controller of breaches.