D&D Daily e-Newsletter

Breach Reporting Landscape Becoming Global Minefield
The Equifax Impact - 30 Day Rule - Fed. Law Coming?
US - Canada Nov 1st - EU - Australia

The past year has ushered in big changes to how companies around the world must report data breaches, with jurisdictions from Colorado to Canada establishing new requirements that further complicate an already fragmented global regime.

Since the beginning of the year, companies' breach reporting obligations have expanded from having to comply with a patchwork of laws in the U.S. to scrambling to ensure that their incident response plans include consumers and regulators in the European Union, Australia and Canada.

The shift is being fueled in large part by the growing prevalence of large-scale data breaches such as the one at Equifax, which exposed personal data belonging to nearly half of the U.S. population, and shifting attitudes among policymakers about companies' obligations in safeguarding consumers' information, according to attorneys who help guide companies through this increasingly complex global maze.

"We're seeing an expansion of the breach notification landscape because there's a lot more concern around consumer privacy and a lot more jurisdictions, in particular outside the U.S., that are giving a lot more thought around privacy being a right that consumers have," said Paul Hastings LLP partner Sherrese Smith, who is based in Washington, D.C. "So more countries are accordingly feeling more inclined to try to be more protective of consumers' privacy rights."

But while these laws all have the same general purpose, their requirements for disseminating alerts vary greatly, leaving companies that operate globally with the tricky task of figuring out how to navigate nuances in breach reporting triggers, timelines and methods.

"Companies have an awareness that they have to report in the EU and the U.S. and in Canada beginning Nov. 1, so the question we've been getting is couldn't we put all those requirements into one plan and have one standard that says in these set of circumstances, we can report like this," said VLP Law Group LLP partner Melissa Krasnow, who is based in Minneapolis. "But unfortunately, it doesn't work that way."

In order to keep their various reporting plans as current as possible and help dodge the enhanced liability risks that these laws bring, it's vital for companies to keep abreast of both well-publicized developments, such as ongoing efforts to update data breach laws on the books in U.S. states, and those that may not get as much hype, including notification requirements that may emerge in the coming years in jurisdictions such as India and Brazil, attorneys say.

"We are continually preparing for the next level of obligations," said Bennett Jones LLP partner Stephen D. Burns, who is based in Calgary, Alberta. "Because the requirements in this space are evolving rapidly, you never truly achieve compliance in this space. You're always addressing the evolution."

Here, Law360 digs into several well-known and under-the-radar changes to the global breach reporting landscape and how companies are planning to cope.

U.S. Reporting Requirements Hit All 50 States

The U.S. has long been at the forefront of breach notification obligations, with California in 2003 becoming the first jurisdiction to formally require businesses to report these incidents. Since then, the trend has steadily spread across the U.S., with Alabama earlier this year becoming the final state to put a breach reporting law on the books.

"The U.S. has a very mature framework around breach notification, as we were first out of the box, and since then breach notification has come to be recognized as an integral part of any comprehensive data protection regime," said Lisa Sotto, who chairs Hunton Andrews Kurth LLP's privacy and cybersecurity practice and is the managing partner of the firm's New York office.

While Alabama was the last to join the fray, the state made up for lost time by enacting one of the strictest breach reporting laws in the country. Under the law, which took effect June 1, companies are required to notify Alabama consumers within 45 days of discovering a breach if it is "reasonably likely" to cause affected individuals "substantial harm." They also need to notify the state's attorney general if the breach impacts more than 1,000 residents and to maintain "reasonable data security measures" to safeguard personally identifying information.

Alabama wasn't the only U.S. state busy with breach reporting this year. Earlier this year, South Dakota became the 49th state to enact a breach reporting law, and Arizona, Colorado, Louisiana, Nebraska, Oregon and Virginia have also amended existing notification statutes in 2018.

The amended Colorado law, which takes effect Sept. 1, is particularly notable for its tight breach reporting window and broad scope, according to attorneys, including Colorado-based Ballard Spahr LLP partner David Stauss, who helped draft the law.

"If you track the state laws that have been amended recently, a lot of the talk revolves around the Equifax breach," said Stauss, who served as an outside subject matter expert for the state attorney general's office and the bill's sponsors during the legislative process. "And when this bill went before the Colorado Assembly, the word Equifax came up within the first minute of the hearing."

With the new law, Colorado joins Florida as the only states to require reporting of a breach to consumers and the state attorney general within 30 days, the shortest time frame currently on the books in the U.S. The law also expands the definition of personal information to include biometric data and any information that could unlock an online or banking account and requires that companies take "reasonable" steps to protect the personal data that they have, including data that is shared with third parties.

"Other states may look at some decisions made by the Colorado Legislature, such as the 30-day notification window and the decision not to exempt companies covered by federal health and banking laws, and those may serve as a tipping point on those issues," said Stauss, who noted that several lawmakers wanted a shorter breach reporting deadline before lawmakers ultimately settled on the 30-day threshold.

Sotto noted that, with the Florida law already on the books — which has a 30-day notification deadline, but allows for an additional 15 days "under certain circumstances" — her team in many instances already "usually considers 30 days to be when we strive to come out with a notification."

With breach laws now live in all 50 states, along with four U.S. territories, attention is likely to shift again to the federal level, where several attempts to enact not only a national breach reporting standard but also uniform data security rules — which are on the books in 20 states and counting — have fallen short during the past decade.

While the massive Equifax breach wasn't enough to get federal data breach notification and security notification legislation across the finish line, attorneys say that prospects continue to grow as big tech companies slowly scale back their opposition to such rules in the wake of expanding state requirements, including a stringent new privacy law set to take effect in California in 2020.

"The odds of a federal breach reporting standard have increased a bit, going from maybe zero to 20 percent, but that's still not exactly a home run," Strauss said.

EU Sets Tightest Reporting Window - The 72 Hour Rule

While mandatory breach reporting has been a reality in some EU countries, including Germany and more recently the Netherlands, for years, the landscape dramatically shifted on May 25, when the implementation of the bloc's general data protection regulation resulted in breach notification becoming a bloc-wide requirement.

"GDPR is a game-changer, without question," Sotto said.

Under Article 33 of the GDPR, companies that hold personal data have 72 hours from the time they become aware of a breach that is likely to result in a high risk to individuals' privacy rights to notify the relevant national data protection authority of the incident, and also must tell any affected individuals "without undue delay."

The 72-hour reporting window is by far the shortest of any global breach notification law and has already proven tricky for businesses to handle during its short life span, attorneys say.

"Historically the U.S. has presented the biggest challenge, and overseas we have not found notification to be particularly complex aside from understanding various jurisdictions' requirements," Sotto said. "But the 72-hour timing trigger has really changed that calculus." Many have found taking proactive stock of the data they hold and where it's located, and preparing an EU-specific incident response plan, to be helpful in overcoming the tight reporting time frame, attorneys say.

"While having an incident response plan in place is not technically required, if as a data controller you have to report a personal data breach in the EU within 72 hours, then it's really helpful to have a road map to help guide you," Krasnow said.

The EU law also requires businesses to be able to quickly determine what national data protection authority they're supposed to report to within that initial three-day window, according to BakerHostetler partner Laura Jehl, who is co-leader of the firm's GDPR initiative.

"And then, of course, [they have to] hope the reporting portal is available in English or that they have readily available translation services, as well as consider their current compliance posture and any risks reporting might present," Jehl said.

Although no other jurisdiction has moved to set a breach reporting deadline as short as the EU's, attorneys say they'll be watching closely to see if that changes as more experience is gained with the 72-hour requirement.

"It wouldn't be surprising if other countries with existing breach notification obligations were to rethink the timing requirements in light of GDPR and decide that they may want to expedite the breach notification timing," Sotto said.

Canada's Breach Reporting Goes Nationwide - Coming Nov 1st - "As soon as possible" rule
New 'Privacy Commissioner' will investigate & audit

Beginning Nov. 1, businesses that have a data breach that impact any Canadian resident will face the new obligation to report to the country's Privacy Commissioner and affected individuals "as soon as feasible" for incidents that create "a real risk of significant harm."

"There's been so much talk about the GDPR, but there hasn't been the same level of focus on the Canadian breach notification law," Krasnow said.

Companies that do business in Alberta "already have deep experience with this kind of regime," given that the province has had a mandatory breach reporting requirement on the books since 2010, noted Calgary-based Bennett Jones partner Martin Kratz.

But the new Canadian law is more proscriptive than its Alberta counterpart in terms of what exactly has to be reported to the Canadian Privacy Commissioner and individuals, according to Kratz.

"The federal law builds on the Alberta law and takes it to the next step," Burns, the other Bennett Jones partner, said.

The national law, which was enacted in large part to help Canada maintain its adequacy status with the EU, is expected to result in many of the same changes that occurred with the birth of the Alberta law eight years ago, including an uptick in breach disclosures, increased attention being paid by companies to data security, more aggressive enforcement, and strengthened relationships between companies and privacy authorities.

"Obviously, having a federal mandatory breach notification regime is going to change the landscape," said Wendy Mee, a Toronto-based partner at Blake Cassels & Graydon LLP. "The federal Privacy Commissioner is going to be in receipt of more information, and if they feel like an organization hasn't taken enough steps to respond to a data breach or if there were multiple breaches reported over a relatively short period of time, that's likely to give the commissioner reasonable grounds to audit or investigate."

One area that is likely to be tricky for companies and attract intense regulatory scrutiny is the new stringent record-keeping requirements under the national law, which are not part of the Alberta statute. These provisions require organizations to maintain a record of every breach of security safeguards involving personal information under its control for 24 months after the day on which the organization determines that the breach has occurred.

"There is huge enforcement potential around the record-keeping requirements, which may prove to not be such an easy thing for companies to do," Krasnow said.

Australia Joins 30 Day Breach Reporting Bandwagon

After years of debate, Australia threw its hat into the breach reporting matrix on Feb. 22, when a law making the country's voluntary breach reporting regime mandatory went into effect.

Under the law, which was first floated in 2013, companies are required to conduct a breach assessment within 30 days of discovering that an incident may have occurred and to alert the public and the Office of the Australian Information Commissioner "as soon as practicable" if they conclude the event is likely to "give rise to a risk of serious harm."

Becoming more common and proscriptive worldwide

While the expansion of Australian breach reporting requirements didn't attract the attention that higher-profile changes in the U.S. and EU did, the obligations are still important for companies that hold data belonging to residents from around the world, according to attorneys.

"When it comes to breach reporting, a main issue is to figure out what laws your company is actually subject to and come to grips with them, since each law has such different definitions and requirements," Jehl said.

That analysis should be both deliberate and ongoing, according to attorneys, given that, as the first half of 2018 has shown, breach reporting requirements are only getting more common and proscriptive.

"To the extent that companies aren't already looking at these kinds of law, they should be," Stauss said. "But the reality is, if it hasn't dawned on companies yet that there's only going to be more regimes and more laws in this area and not less, then someone isn't paying attention."

This article was originally published on law360.com