Global Data Breach Notification Guide
Global data breach notification requirements pose critical issues for legal departments, senior managers, and boards of companies in all industry sectors worldwide. The current environment creates a perfect storm with more data security threats, more vulnerabilities, and more data breach notification requirements.
The threats are diverse and ever-changing. Threat actors range from nation states pursuing economic gain or political aims, to individual hackers or collectives motivated by profit, challenge, or enjoyment, to employees or other insiders seeking revenge, financial reward, or other goals. The means of attack are also expanding, and range from spear phishing and social engineering, to man-in-the-middle and distributed denial of service (DDOS) attacks, and more. Intruders are searching for new and innovative ways to introduce malware into company systems, to steal, corrupt, or delete personal information, trade secrets, or other confidential information, and to otherwise cause harm.
The vulnerabilities are expanding as global organizations increasingly leverage data as a source of revenue and, in the process, expand the surface area for potential attacks. For example, the Internet of Things (IoT) enables companies to attach sensors associated with IP addresses to everything from home appliances to cars to pills that patients ingest. Companies are pursuing this connectivity as a business imperative to find new ways to track behavior, optimize resource consumption, utilize sensor-driven analytics, and monetize available data. Estimates indicate there will be as many as 50 billion devices connected to the Internet by 2020. That’s multiples of today’s numbers, such that there will be literally billions more sources of vulnerabilities.
Data breach notification requirements create significant corporate risk in this environment. Amidst the expansion of global threats and vulnerabilities, an increasing array of these data breach notification requirements are emerging around the world. California established the first data breach notification obligation in 2003 for a relatively narrow set of highly sensitive personal information including unencrypted Social Security Numbers and other government identifiers, financial account numbers (such as credit cards) and the corresponding security codes, and the like. Since then, California has expanded the range of data types covered by its law, and the vast majority of US states have enacted similar data breach notification laws. Non-US jurisdictions have also increasingly incorporated the concept of data breach notification into their “omnibus” data protection regimes that apply by their definitions to a broad range of information about identified or identifiable individuals. Many of these regimes establish short timelines to respond, duties to notify regulatory authorities, and content and procedural rules for notification. Some of the emerging rules also apply to more than just unauthorized access, and can apply to unauthorized loss or processing, which may cover intrusions that destroy data and other activities that exceed authorized boundaries. Perhaps most notably, as of May 25, 2018, the European Union's General Data Protection Regulation (“GDPR”) requires breach notification within 72 hours of becoming aware of a breach of a broad array of different types of personal data across all industry sectors.
The risks to companies in the context of a data breach are significant. Key concerns include reputational harm, adverse media attention, and customer churn, class actions and other claims from consumers, employees, corporate customers, financial institutions, and shareholders, and regulatory/law enforcement actions. As such, preparation is critical. Companies should address the potential for data security incidents throughout the full life cycle of information management, from product and application design, to initial data collection and use, to record retention and secure disposal. Companies should also proactively align incident response policies, legal counsel, forensic providers, identity theft protection services, public relations firms, and other resources to prepare for data incidents and notification issues.
Baker & McKenzie provides this Global Data Breach Notification Guide as a resource for companies to benchmark the ever expanding range of global breach notification requirements. As always, a guide is not a substitute for legal advice, and in the event of an actual or potential incident, companies need to engage qualified counsel to advise on the application of local breach notification and other requirements to their particular circumstances.
We hope you keep this Global Data Breach Notification Guide close at hand, and alongside your copy of the Baker McKenzie Global Privacy Handbook, as well as the Baker McKenzie EU GDPR Game Changers, the EU GDPR National Legislation Survey, the Baker McKenzie Global Surveillance Law Comparison, and the Baker McKenzie Global Data Protection Enforcement Report. Visit www.bakerinform.com for recent developments on global data privacy, security, and information management issues. And, please do contact any member of the Baker & McKenzie Global IT/C Data Security Leadership Team with any questions, or your usual Baker & McKenzie contact.
Chair, Global IT/C Data Security Working Group