If and when a personal data breach occurs, what are your requirements under law? As a growing business, you must research to identify relevant breach notification laws and requirements that you must comply with when building your privacy program.
Now that you’re familiar with the basics of incident response, let’s get caught up with five breach notification laws that your growing business should be mindful of when building your incident response plan.
European Union (EU) General Data Protection Regulation (GDPR)
The EU’s GDPR defines a personal data breach as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed” – GDPR Article 4(12)
When a personal data breach affects the information of EU data subjects, the GDPR requires data controllers to notify supervisory authorities and those affected data subjects within 72 hours and “without undue delay.” The law also requires the controller, a company that determines the purpose and means of processing personal data, to document the facts, effects, and remediation associated with the breach.
A breach notification under the GDPR should include:
- The nature of the breach, including how it happened, how many data subjects were affected, the categories of personal data involved, and how many personal data records were involved
- The contact information for your company’s Data Protection Officer
- Details of the breaches impact
- A description of the steps taken or proposed to be taken by the controller to address the breach
To make notification easier, leverage pre-built notification templates to help save time meeting notification requirements.
California Consumer Privacy Act (CCPA)
Although not technically part of the CCPA, §1798.82 of the California Civil Code requires businesses to provide notice of a personal data breach to the California Attorney General and affected California residents. The CCPA’s privacy right of action provision (Section 1798.150) refers to this requirement when explaining consumers’ right to initiate civil action if their personal information is subject to certain kinds of data breaches. Consumers can exercise their privacy right of action if a breach is uncured by a business for more than 30 days, includes nonencrypted and nonredacted personal information and occurs as a result of the organization’s lack of “reasonable security procedures and practices.”
Breach notifications under the CCPA should be written in plain language and made “without unreasonable delay.” Notices should include:
- What happened
- What information was involved
- What you are doing to resolve the breach
- What consumer can do to protect their personal information
- Contact details for further information regarding the breach
Brazil’s General Data Protection Law (LGPD)
The “Lei Geral de Proteção de Dados” or LGPD requires controllers to notify Brazilian data protection authorities (ANPD) and data subjects in the event of a data breach involving risk or relevant damages to the data subjects. Unlike the GDPR, the deadline for notifications under the LDPG is loosely defined. However, organizations are encouraged to notify authorities of incidents in a “reasonable time.”
LGPD notifications should be made in a timely matter and include, at a minimum:
- The nature of the affected personal data
- Information on the data subjects involved
- Indication of technical and security measures used for data protection
- Any risks relating to the breach
- Processes adopted to mitigate the effects of the loss
- Reasons for delay of notification
Thailand’s Personal Data Protection Act (PDPA)
For those operating in Thailand, the PDPA also holds a set of breach notification requirements you should keep in mind.
Like the GDPR, the PDPA requires data processors to notify data controllers of any personal data breach that occurs and requires data controllers to notify the Personal Data Protection Committee (PDPC) and affected data subjects of a data breach within 72 hours and without delay. Notification is warranted when the breach poses a risk to the rights and freedoms of the affected individuals. For cases where there is a ‘high risk’ to the individual’s rights and freedoms, the data controllers must inform the affected individuals in addition to the PDPC. Under the law, there are not many specific requirements for the notification content – except that the individuals need to be notified of the remedial measures put in place to address the breach. The PDPC is preparing detailed guidance on the content of the breach notification. Until then, it’s reasonable to include similar details like those that are notifiable under the GDPR or the LGPD.
Health Insurance Portability and Accountability Act (HIPAA)
If you operate in the US and store patient information, then this is one to be aware of.
Regarding the privacy and security of health information, the HIPAA Breach Notification Rule requires businesses to provide notice of “all impermissible uses or disclosures” of protected health information to affected individuals and report the breach without unreasonable delay and no later than 60 days after they discover a breach. Depending on whether the breach affects more than 500 individuals, the businesses may have an obligation to notify the breaches to the individuals, as well as the media and the Secretary of the U.S. Department of Health & Human Services (HHS). On the other hand, a business associate (i.e. a vendor or service provider) should only provide notice of any discovered breaches of protected health information to the businesses. The notification to affected individuals must be made through postal mail or email, and a toll-free phone number must be set up for 90 days so that the individuals can learn there further details about the breach involving their data. include:
- A description of what happened including the dates of the breach and how it was discovered
- A description of the affected health information, including the impacted categories
- A brief description of how the business is investigating and mitigating the breach, and measures in place to protect against further breaches
- The steps individuals should take to protect themselves from potential harm
- Contact details and instructions for how individuals can ask questions or receive more information regarding the breach
In general, many breach notification requirements share similarities. Still, as the landscape of global data breach notification laws continues to evolve, your growing businesses must keep up with new and updated breach notification laws as you grow and expand to new territories.
Next, let’s dive into what it takes to build an incident response plan for your growing business. Check out part 3 of the series, A Beginner’s Guide to Incident Response: Everything You Need to Know.