Data Breach Response
Critical notification requirements
How it works
- Tracking detailed notification requirements across 100+ jurisdictions
- Global coverage includes the EU and United States
- State by state analysis for the United States
- Maintained by a team of dedicated senior lawyers as part of Rulefinder Data Privacy
The application
When it comes to data breach, the conventional wisdom is when, and not if, an organisation will suffer a data breach. Notifying the regulator and affected individuals in accordance with local law requirements is a key part of every organisation’s breach response plan. Correct handling of data breach notification requirements can avoid fines and other sanctions which can run into millions of dollars, and minimise reputational damage.
How it helps
Breach notification rules vary across the globe, and the lack of a single rule book, together with the short time frame for reporting, makes keeping on top of breach notification requirements challenging. For example, in the United States, breach notification laws vary across all 50 US states.
Coverage
aosphere’s Breach Response application pulls together the breach notification reporting requirements in 60+ jurisdictions and all US states, and highlights in an instant when there is a requirement to notify the regulator or affected individuals and applicable time limits.
A sample of the information
Notification to Individuals |
Notification to the Regulator |
Requirement to notify? | Threshold | Time limit | Requirement to notify? | Threshold | Time limit | |
California |
Yes |
Unauthorised acquisition of data |
ASAP |
Yes |
>500 residents affected |
None |
Canada |
Yes |
Risk of significant harm |
ASAP |
Yes |
Risk of significant harm |
ASAP |
China |
Yes |
Leakage, damage or loss of data |
Immediately |
Yes |
Leakage, damage or loss of data |
24 hours |
Germany |
Yes |
High risk to individuals |
ASAP |
Yes |
Risk to individuals |
72 hours* |
India |
No |
N/A |
N/A |
Yes |
All cyber incidents notifiable |
6 hours from noticing or being notified |
United Kingdom |
Yes |
High risk to individuals |
ASAP |
Yes |
Risk to individuals |
72 hours |
Sample commentary
As of: 28 October, 2021
What breaches are covered?
- Data security breach: any unauthorised acquisition of computerised data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.
- Affected information: the security breach must involve either:
(A) an individual’s first name or first initial and their last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: Social Security number; driver’s license number or California identification card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; medical information; health insurance information; information or data collected through the use or operation of an automated license plate recognition system; or
(B) a username or email address in combination with a password or security question and answer that would permit access to an online account.
Do I need to notify the regulator?
- Requirement to notify: the California Attorney General must be provided with a sample copy of the notification (with no personally identifying information included) if an entity is required to notify more than 500 residents.
- Form and content of notification: organisations should use a sample notification form (which is designed for notifying individuals), which can be submitted via the AG's website (it must be submitted electronically).
- Time limit: no time limit specified.
Do I need to notify individuals?
- Requirement to notify: a business that conducts business in California, and that owns or licenses computerised data that includes personal information, must disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California: (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorised person; or (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorised person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorised person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. There is no minimum harm threshold.
- Form and content of notification: a sample notification form (for individuals) is available. The notification can be made by post or electronically, and must include at least the following information: name and contact information of the reporting person or business; a list of the types of personal information that were or are reasonably believed to have been the subject of a breach; if the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred; date of the notice; whether notification was delayed as a result of a law enforcement investigation, if possible to determine; a general description of the breach incident, if that information is possible to determine at the time the notice is provided; and the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.
Alternate forms of notification may be permissible.
- Time limit: notification must be given in the most expeditious way possible and without unreasonable delay.
Other considerations
- Other actions: If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, must be provided at no cost to the affected person for not less than 12 months.
Sample commentary
As of: 28 October, 2021
Please note: this information reflects the position under Canada's federal data privacy legislation (PIPEDA). For the position in Alberta, please refer to the Canada Survey (H1.1 - H1.10) on the Rulefinder Data Privacy site. There is currently no statutory obligation in British Columbia or in Quebec to notify a personal data breach.
What breaches are covered?
- Personal data breach: the loss of, unauthorised access to, or disclosure of personal information resulting from a breach or failure of personal information security safeguards, or from a failure to establish those safeguards.
Do I need to notify the regulator?
- Requirement to notify: a breach must be notified to the Office of the Privacy Commissioner of Canada (OPC) if it creates a real risk of significant harm to affected individuals. In assessing whether a real risk of significant harm exists, organisations must consider all relevant factors, including the sensitivity of the affected information and the probability that it will be misused.
- Form and content of notification: notification must be in writing via any secure means, but email is preferred (notification@priv.gc.ca), setting out: information regarding the circumstances of the breach; timings; affected information; number of affected individuals; steps taken to reduce risks; steps taken to notify individuals; and contact details. The OPC recommends (but does not require) the use of an online form.
- Time limit: as soon as feasible after determining that a personal data breach has occurred.
Do I need to notify individuals?
- Requirement to notify: organisations must notify individuals of any personal data breach which creates a real risk of significant harm to the individual.
- Form and content of notification: no specific form or required language, but the notification must be conspicuous and given directly to the affected individual. Indirect notification accepted where direct notification would cause further harm to the individual, undue hardship to the affected organisation, or where no contact details are available. The notification must set out: the circumstances of the breach; when the breach occurred; a description of affected personal information; steps taken to mitigate risks; steps individuals can take to mitigate risks; and contact information for further information.
- Time limit: as soon as feasible after determining that a personal data breach has occurred.
Notification by/of third parties
- The organisation responsible for the personal information (and not the service provider) is responsible for notifications.
Other considerations
- Critical infrastructure: N/A
- Sanctions: if an organisation knowingly fails to notify the OPC or an individual as required, they may be guilty of an offence punishable on summary conviction and liable to a fine not exceeding C$10,000 or an indictable offence and liable to a fine not exceeding C$100,000.
- Other actions: records of all personal data breaches must be created and maintained for 24 months.
Sample commentary
As of: 29 June, 2021
What breaches are covered?
- Personal data breach: the leakage of, damage to, or loss of personal information.
Do I need to notify they regulator?
- Requirement to notify: Under the PIPL, the Cyber Security Law and the Decision on Strengthening Information Protection on Networks and the E-Commerce Law, organisations must report personal data incidents which result in data leakage, damage or loss to the competent regulator. See China Survey H1.4, and PIPL Update: Breach response, for details.
- Form and content of notification: The relevant laws do not address the form or method of notification. See China Survey H1.4, and PIPL Update: Breach response, for information to be provided under the PI Security Specification (recommended national standard).
- Time limit: Local Ministry of Public Security must be notified within 24 hours. Notification to the Cyber Administration of China (no time limit) recommended.
Do I need to notify individuals?
- Requirement to notify: Affected individuals must be notified immediately. If remedial measures are taken to effectively avoid the harm caused by an incident, there is no obligation to notify individuals. The PI Security Specification (recommended national standard) requires notification of individuals if a security incident may cause serious damage to the individual’s rights and interests.
- Form and content of notification: No mandatory form or method, though it is recommended that communication be by direct means. The notice should include the following items: (1) type of incident, reasons for it, and possible harm caused by it; (2) remedial measures taken, and measures that individuals can take to reduce harm; (3) contact information of the affected entity.
- Time limit: Immediately (not defined).
Other considerations
- Critical infrastructure: Critical information infrastructure operators are subject to additional requirements. Any major cyber incident must be reported to the police and to the relevant regulators charged with protecting critical infrastructure.
- Other actions: Records must be kept of both the incident and the response to it. Under the PIPL, where a personal data breach occurs, the data controller must immediately take remedial measures.
- Sanctions: Under the PIPL fines can reach up to a maximum of 50 million RMB (c.7.5 million USD) or 5% of annual turnover for a severe breach of the legislation (though not specifically related to failure to notify data breaches). Failure to notify is not a criminal offence.
Sample commentary
As of: 28 September, 2021
What breaches are covered?
- Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Do I need to notify the regulator?
- Requirement to notify: the relevant state regulator must be notified unless the breach is unlikely to result in a risk to interests of individuals (considering type of breach; affected information; severity of consequences; characteristics, identifiability and number of affected individuals). Note: for breaches affecting multiple European jurisdictions, the notification must be made to the competent Supervisory Authority (under the European 'one-stop-shop' mechanism for notifications).
- Form and content of notification: notification to the relevant state supervisory authority can be made by way of an electronic form which is available from each state authority's website. See the Germany Survey (H1.4(C)) for a list of supervisory authorities and forms to be used.
- Time limit: without undue delay and, where feasible, not later than 72 hours* after becoming aware of the breach.
* In addition, the supervisory authorities of North Rhine-Westphalia and Bavaria clarify that Sundays and bank holidays do not prolong the 72 hours deadline. In North Rhine-Westphalia, the 72 hour deadline starts the hour after which the data breach occurred, whereas in Bavaria it starts at midnight of the following day.
Do I need to notify individuals?
- Requirement to notify: affected individuals must be notified if the breach is likely to result in a high risk to those individuals. Notification is not required where: affected personal data is unintelligible to any person who is not authorised to access it (e.g. via encryption); and remedial action means the high risk to individuals is no longer likely to materialise.
- Form and content of notification: no specified form, but notification must be concise, transparent, intelligible and easily accessible. Unless disproportionate, notification must be communicated directly to affected individuals, either electronically or orally. The notification must include: a description of the breach; a point of contact for further information; a description of likely consequences; and a description of measures taken in response to the incident.
- Time limit: no quantifiable mandatory time limit - the data controller must notify individuals “without undue delay.”
Notification by/of third parties
- A service provider (data processor) must notify a data controller of any personal data breach without undue delay, and assist in complying with GDPR data breach response obligations.
Other considerations
- Critical infrastructure: operators of essential services and digital service providers must, pursuant to the EU NIS Directive 2016/1148, notify - without undue delay - the Federal Office for Information Security.
- Other actions: the breach, and related decisions and remedial actions, must be documented. The affected controller should consider the role of any works council in determining the breach response/notification process.
- Sanctions: administrative GDPR fines (of up to EUR 10m or 2% of global turnover) for a failure to notify a breach. No criminal liability in Germany for failure to notify.
Sample commentary
As of: 12 April, 2021
What breaches are covered?
- Cyber-security incident: any real or suspected adverse cyber-security event, that violates an explicit or implicit security policy, resulting in unauthorised access, denial of service or disruption, unauthorised use of an information storage resource, or unauthorised changes to data.
Do I need to notify the regulator?
- Requirement to notify: incidents are notifiable to the Indian Computer Emergency Response Team (CERT-In). See India report for further details.
- Form and content of notification: non-mandatory incident reporting form available online. Reports to the CERT-In must be made either (i) by email, to incident@cert-in.org.in; or (ii) by mail/fax to CERTIn, Electronics Niketan, CGO Complex, New Delhi 110003 (Fax:+91-11-24368546).
- Time limit: no prescribed time limits, but notification should be made as early as possible.
Do I need to notify individuals?
- Requirement to notify: no requirement to notify individuals.
- Form and content of notification: N/A
- Time limit: N/A
Notification by/of third parties
- As above.
Other considerations
- Critical infrastructure: relevant critical infrastructure organisations must notify the NCIIPC, who have issued a Standard Operating Procedure (SOP) for incident responses, available online.
- Other actions: N/A
- Sanctions: failure to notify a cyber-security incident in accordance with the CERT-In Rules and the Intermediary Guidelines is punishable with a penalty of INR 25,000; it is not a criminal offence.
Sample commentary
As of: 18 November, 2021
What breaches are covered?
- Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Do I need to notify the regulator?
- Requirement to notify: the UK Information Commissioner's Office must be notified unless the breach is unlikely to result in a risk to interests of individuals (considering type of breach; affected information; severity of consequences; and characteristics, identifiability and number of affected individuals).
- Form and content of notification: optional online form available, together with guidance. The ICO advises data controllers to report a breach by calling the ICO helpline or to use the online form.
- Time limit: without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.
Do I need to notify individuals?
- Requirement to notify: affected individuals must be notified if the breach is likely to result in a high risk to those individuals. Notification is not required where: affected personal data has been protected by technical and organisational measures which make the information unintelligible to any person who is not authorised to access it (such as encryption); and the affected organisation has taken measures to ensure that the high risk to individuals is no longer likely to materialise.
There are further exemptions under UK law, which state that notification is not required: where the affected personal data is processed for certain purposes, including the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of a tax or duty or a similar imposition; or where the data is processed for journalistic, academic, artistic or literary purposes. - Form and content of notification: no specified form, but notification must be concise, transparent, intelligible and easily accessible. Unless disproportionate, notification must be communicated directly to affected individuals, either electronically or orally. The notification must include: a description of the breach; a point of contact for further information; a description of likely consequences; and a description of measures taken in response to the incident.
- Time limit: no quantifiable mandatory time limit - the data controller must notify individuals "without undue delay."
Notification by/of third parties
- A service provider (data processor) must notify a data controller of any personal data breach without undue delay, and assist in complying with UK GDPR data breach response obligations.
Other considerations
- Critical infrastructure: operators of essential services and digital service providers are under a separate obligation to notify, without undue delay and within 72 hours, the relevant competent authority of any incident that has a significant impact on the continuity of the essential services provided. Under the Privacy and Electronic Communications Regulations, internet services providers and providers of public electronic communications services must notify the ICO within 24 hours.
- Other actions: the breach, and related decisions and remedial actions (which are mandatory), must be documented.
- Sanctions: UK GDPR fines (of up to EUR 10m or 2% of global turnover) for a failure to notify a notifiable personal data breach. Failure to notify is not a criminal offence in the UK.