When it comes to data breaches, the U.S. state laws and the EU’s General Data Protection Regulation (“GDPR”) impact the procedure that is carried out in addressing such breaches and notifying them to the affected individuals and the potential state regulators. Essentially, this is the fundamental reason why corporations cannot have a single, all-encompassing procedure to address data breaches.
Each breach will have to be dealt with on a case-by-case basis by determining which country’s laws are applicable to the affected individuals, addressing the logistical challenges in the notification procedure and handling subsequent investigations and litigations (if any). All these steps have to be mandatorily taken to ensure compliance in the event of a data breach.
In the U.S., the State of California was one of the first states to enact a breach notification law in 2003, following which every other U.S. state has passed some form of a breach notification law operational in their jurisdiction. After reviewing the state laws, certain parity is seen in matters regarding the information covered, reporting prompts or triggers, the threshold for regulatory reporting and the subject matter and timing of notifications.
On the other hand, the GDPR enacted in 2018 is the European Union’s first sui generis data breach notification law. The GDPR is quite similar to the U.S. state laws on many fronts regarding breach notifications. However, distinctions can be drawn on triggers, thresholds, timing and regulatory landscape for companies’ handling data breaches.
This article attempts to understand the nuances and key differences in the breach notification requirements of companies under Articles 33 and 34 of the GDPR and the U.S. state data breach notification regimes.
The first and foremost requirement that companies have to look into is whether, under the concerned jurisdiction, the harm threshold as prescribed in the definition of “breach” was met. At the base of all the U.S. state laws, a notification is generally triggered by a defined list of data sets such as the name of the individual combined with some other secondary information, for example, an individual’s Social Security number, Government-issued ID, or some financial information such as a bank account number or a payment card number. Some states have included biometric data such as date of birth etc. in their lists. U.S. privacy laws are also sectoral in nature and therefore corporations will also have to maintain compliance with federal laws such as the HIPAA, GLBA, the Communications Act or their state equivalents in case the breached data falls within the ambit of any of these laws.
The definition of “personal data” under the GDPR includes “any information relating to an identified or identifiable natural person.” This definition has a broader scope and includes items such as email addresses and passwords, “online identifiers”, or personal characteristics which would distinguish the individual from other persons. Several countries around the world have adopted the GDPR approach in applying the broader definition of personal data in their own breach notification laws.
The implication of having such a broad nature of notification triggers is that the events that could give rise to such triggers are numerous and therefore, the focus of the investigation could be impacted. For example, if a breach takes place in the U.S., then as the laws prescribe a definitive list of triggers to inspect, the investigation will prioritize determining what type of personal information was compromised in the data breach. Whereas, in the EU, the focus will be placed on the magnitude of personal data implicated.
The breach notification under U.S. state laws is generally triggered by “unauthorized access” or “unauthorized acquisition” of personal data. Several, but not all, of the states, also mandate a certain risk-of-harm threshold to the data subject whose data could be misused in a particular manner or can generally cause harm to the individual like fraud or theft. However, there has been no particular instructions by the state legislators on how to determine “breach” or the “risk-of-harm” threshold.
The GDPR has particularly specified that notification requirements are triggered by any “personal data breach” which includes a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. The two harm thresholds prescribed under the GDPR are – firstly, with respect to notifications to supervisory authorities where the risk is “unlikely to affect the rights and freedoms of natural persons,” and secondly, notifications to consumers where the risk is “likely to affect the rights and freedoms of natural persons.” The European Data Protection Board has also clarified that “destruction” denotes that the data “no longer exists” or “does not exist in the form that is of use to the controller.” In a similar manner, “loss” is constituted when the controller has lost control or access or does not have in his possession the concerned data.
In the U.S., a general framework of the application of attorney-client privilege and work-product privilege exists due to the litigations and investigations which have taken place over the years. In the EU however, the concepts of privilege are less developed than those in the U.S. They mostly vary in each Member State of the Union. Such differences are likely to have practical ramifications when a data breach is followed by regulatory inquiries and investigations.
A regulatory authority, for example, may request a copy of the investigation report, wherein, the company has to decide whether it will go ahead and make such a report available to the authorities or claim privilege. In the event that a company decides to claim privilege, such an action will be difficult to be executed in a jurisdiction where privilege protections are less developed. The protections in a jurisdiction will also determine whether a third party should be engaged to assess a breach and prepare an investigation report for the company.
Under the GDPR regime, a 72-hour time limit is given to a corporation to notify the data protection authority after it becomes “aware” of a data breach. The controller is required to have a “reasonable degree of certainty” that a security incident has taken place and no other elaborate standard of awareness is required as such. This is subject to a “short investigation period” when the breach is first detected. However, the first and foremost course of action under the GDPR is to establish appropriate technical protection and organizational measures when a breach takes place.
In the U.S., 30 days is considered to be the reasonable standard of time for notifying the authorities. However, most states do not have a specific timing requirement. A few other states, such as Florida and Delaware, have prescribed 30 days and 60 days, respectively, after the determination that a breach has occurred. It can be seen that no state has a short-time limit such as that in the GDPR of 72 hours, but certain sectoral laws such as the New York Department of Financial Services cybersecurity regulations, are an exception to it.
Thus, while the GDPR’s notification time estimate is uniform across the EU, the timeline is very short and will have practical challenges. Organizations will be required to have a plan in place to identify security incidents prior to their actual occurrence as managing everything from identification to notification within the stipulated time period will be hard to execute otherwise. Many companies choose to notify breaches out of caution rather than a firm belief of actual brief as they would rather satisfy the 72-hour timing requirement and eventually revoke or amend the notification if the breach ends up being a non-issue.
The regulatory landscape in the U.S. and the EU vary significantly in this regard. In the U.S., a state attorney general is appointed in every state to enforce the laws generally. No regulator is exclusively appointed to enforce the data protection laws. Currently, there are no data protection audits or relationships that are maintained with companies regarding their data protection policies or technical structures by these authorities.
The GDPR, on the other hand, prescribes that breach notifications are to be made to a supervisory authority that specifically regulates data protection. These authorities are more likely to conduct audits or reviews of companies in circumstances where a breach has taken place and maintain a pre-existing relationship regarding data protection with the companies. Thus, these differences will significantly shape a corporation’s regulatory response to data breach incidents as the supervisory authority will be specified in a GDPR related matter, whereas the state attorney will be the reporting entity in the U.S.
Apart from the differences as mentioned above, a few other notable differences would include the documentation requirements entailed in Articles 33 and 34 of the GDPR, wherein organisations are required to document any personal data breach to permit the supervisory authority to “verify compliance”. Although organisations may voluntarily document data incidents, such explicit requirements are not seen in the U.S. state laws. Additionally, the GDPR also permits the supervisory authority to override a company’s decision regarding a reportable breach. Such a power is not present with the U.S. state authorities, however, the same effect can be achieved by imposing penalties.
To conclude, we can establish that the differences between the U.S. state data breach notification regime and the GDPR are not only compliance burdens but also require corporations to apply a different approach to address types of information, incidents, investigation processes, and notification mechanisms. Taking proactive steps to plan for global incidents instead of a single approach for all jurisdictions will technically and legally prepare a corporation to maintain compliance even during unforeseen data incidents.
This article was written by Aryashree Kunhambu