Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Data Protection & Cyber Security
There is no general statutory definition of security breach under Russian law.
However, there is a general obligation of all data controllers to keep PII secure (so, disclosure of data to the third party is permitted only on special grounds). Key PII security indicators are PII integrity, confidentiality, and accessibility. So, in case any of such PII characteristics is affected, the PII should not be considered secure, and the incident shall be treated as a security breach.
As regards industry-specific definitions, Russian laws set out different definitions describing the security breaches. For example, the laws governing information security in the Russian national payment system define the security incident as any event that caused or may cause unauthorized funds transfer or failure to provide funds transfer services.
There is also a definition of computer incidents set out by Russian laws on security of critical information infrastructure (“CII”) governing various aspects of information security in such critical industries as healthcare, science, transport, communications, energetics, banking and finance, fuel and energy, nuclear energetics, defense, rocket and space, metallurgy, chemical industry. The CII laws define the computer incident as any fact of breach or termination of functioning of CII facility, communication network used for interconnection of CII facilities, and (or) security breach of information processed by such CII facility, including due to the computer attack.
The Data Protection Law does not address security breaches.
However, Resolution No. 47/2018 of the Data Protection Authority (please see question 16) did approve certain measures in connection with security incidents. In particular, it recommends having a procedure in place to manage security incidents, and a person responsible for issuing a report on the incident.
Although the LGPD does not provide a definition of “security breach”, it addresses the issue. Generally, any security incident that may result in any relevant risk or damage to the data subjects may be considered a “security breach” and the data controller must communicate to the national authority and the data subject about it, within a reasonable period of time.
(i) All the provisions of GDPR regarding personal data breaches directly apply. Under Article 4, para 12 GDPR, a ‘personal data breach’ is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
(ii) The Cybersecurity Act (CA)
The CA implementing the NIS Directive (Directive (EU) 2016/1148) imposes obligations to implement diverse measures to ensure proper network and information security on the a very wide range of addressees such as administrative authorities; operators of essential services operating in the sectors: energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution, digital infrastructure; digital service providers providing services such as online marketplace, online search engine, cloud computing services; other organisations providing public services and persons exercising public functions. Enterprises that are micro and small digital service providers, within the meaning of the Bulgarian Micro and Small Enterprises Act, are among the entities, that are excluded from the scope of the CA.
The CA does not have a definition for ‘security breach’ but includes definitions about events related to security breaches such as:
- ‘Cyber attack’ - an attempt to destroy, disclose, modify, prohibit, steal or obtain unauthorized access to / unauthorized use of an information asset
- ‘Cyber threat’ - the possibility of malicious attempts to break or interrupt the computer network, system, services, and data
- ‘Cyber incident’ - an event or a series of unintended or unexpected cybersecurity events that are likely to cause compromisation of activities and threaten the security of the information.
(iii) There are also many sectoral laws which address security breaches most important of which are:
- E-Communications Act
- Appendix No. 4 to General requirements of the Communications Regulations Commission (CRC) in the implementation of public electronic communications defines the types of ‘breach of security or integrity, which has significant impacted on the functioning of the networks or services’ in five categories:
- human error - incidents caused by internal personnel, including through incorrect configuration or incorrect deployment of network facilities, platforms, program applications, archives and databases, and misuse of network resource and incident management procedures;
- failures in the technical and software provision;
- natural disasters - including severe weather conditions, floods, fires, earthquakes, landslides, etc .;
- malicious attacks - acquiring unauthorized physical or logical access to networks, systems, applications, data, or other information resources from individuals or software that may result from targeted internal or external attacks;
- external causes - includes human errors, incorrect procedures and damage caused by other countries.
Whether the breach has ‘significantly impacted on the functioning of the networks or services’ is being determined by further criteria based on the ‘duration of the impact’ and ‘amount of impacted users’.
- The E-Communications Act defines ‘personal data breach’ as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service.
- The E-Governence Act: imposes on the administrative bodies to use information systems compliant with ther requirements for information security in accordance with the CA.
- eIDAS (Regulation (EU) No 910/2014): defines ‘security breach’ as an event ‘where either the electronic identification scheme notified pursuant to Article 9(1) or the authentication referred to in point (f) of Article 7 is breached or partly compromised in a manner that affects the reliability of the cross-border authentication of that scheme’.
- The Law on Payment Services and Payment Systems (LPSPS) implementing the Payment services (PSD 2) (Directive (EU) 2015/2366) addresses the management of operational and security risks. The Ordinance issued under the LPSPS on No. 3 of the Bulgarian National Bank of 18.04.2018 on the Terms and Procedure for the Opening of Payments Accounts, Execution of Payment Transactions and Use of Payment Instruments defines ‘operational and security risk’ as a single event or a series of related events not planned by the payment service provider that have, or are likely to have, an adverse effect on the integrity, accessibility, confidentiality, authenticity and / or continuity of the provision of the payment service.
Security breaches are solely mentioned in art. 7 FADP. Unauthorized access to personal data or involuntary loss or destruction of such data must be avoided.
The Spanish LOPD refers to the GDPR in relation to the definition and regulation of security breaches, which are breaches «of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed». It is necessary, therefore, that the "breach" referred to in the RGPD, while being a type of security incident, is applied only to the extent that it affects personal data.
The responsible or in control of the data base is required to ensure that those involved in personal data processing are subject to and comply with confidentiality obligations because of security liability of the personal data storage in the data base. It shall be guaranteeing that the rights of the data subjects are safeguarded, and the communication is connected to the responsibilities and purposes of the participating organizations. In case of a request for personal data through an electronic network, the following information must be recorded: (i) the inquirer’s identity; (ii) the requested purpose, and (iii) the specific data being transferred. Regarding security requirements, the Data Privacy Act does not impose any type of security measures that data subjects and entities must take in relation to processing of personal data. Besides, the person responsible for the data base or banks in which personal data is stored (after its collection) should be manage them with due diligence, confidentiality and assuming responsibility for damages.
Furthermore, there are specific rules regarding banks and data of their clients and their wire transfers, in which encryption and notice of security breach is mandatory. This regulation is transitory and, it was dictated by the entity that supervises the banks. Currently, the bill that includes regulation in these matters is pending in Congress.
Additionally, there are some other regulations that contain cybersecurity provisions applicable only for certain areas; such as:
- Law No. 19,223 on cybercrimes, which regulates unauthorized access to databases or information, unauthorized disclosure of such information, among other criminal actions. This obsolete law is not enough to address the size and significance of today’s events on breach of security or cybercrimes.
- General Telecoms Law: (GTL) article 24 H: regarding the obligation of seeking to preserve network security for ISPs and telecommunications concessionaires;
- Decree No. 83 of 2005 issued by the Ministry General Secretariat of the Presidency, on the Confidentiality and Security of Electronic Documents for the Public Administration.
- On 2017, it was released the first National Cybersecurity Policy by the government. The objectives by 2022 include a risk management approach to preventing and reacting to incidents, including to protection of information infrastructure, combating cybercrime while respecting fundamental rights, building cybersecurity culture through education and accountability, cross-stakeholder cooperation and active participation in national and international discussions, and promoting cybersecurity industry innovations. At the same time Chile has signed the Council of Europe Convention on Cybercrime, thereby becoming the 58th country that has signed or accessed it. As it indicated in the same policy, Chile has in place a set of legal and statutory regulations that relate directly or indirectly with the challenges of cybersecurity –which should be reviewed and updated in accordance with the guidelines set out in the abovementioned policy and with Chile’s international commitments, such as, Law No. 19,223 about cybercrime or Law No. 19,628 about the protection of private life, among other rights.
- Supreme Decree No. 1,299/2004 setting out new regulations for the State’s Connectivity Network managed by the Ministry of the Interior and describing the technological procedures, requirements and standards for the incorporation to such network by public entities (consolidates an intranet, named the State’s Connectivity Network, where a number of ministries and public bodies should be interconnected).
- Supreme Decree No. 1/2015 approving the technical standards for the systems and websites of the State administration bodies: This Decree updates the technical standards for the websites of the State administration bodies regulating certain conditions about confidentiality, availability and accessibility of information contained in those websites, all of them being key elements of cybersecurity.
- On October 25th of 2018, Chilean President, Sebastián Piñera, signed a bill on computer crimes.
- In the same date, he issued a Presidential Instructive giving directive to public bodies related to cybersecurity, including urgent measures that should be implemented. Such as:
- Appointment of a high-level cybersecurity officer in each public-service, who must be independent of the institution’s IT head.
- Application and updating of technical regulations on cybersecurity.
- Internal cybersecurity measures.
- Detailed revision of networks, systems and digital platforms of public operation.
- Surveillance and analysis of the operation of the technological infrastructure of State Administrative bodies. The Coordination Center of Government Entities (“CCEG”) will verify compliance with current cybersecurity standards and will carry out cybersecurity exercises.
- Compulsory report of incidents to the CCEG, as soon as they become aware of them.
- Response to cybersecurity incidents. Regardless of the regulations issued in terms of cybersecurity by the head of each service, the Ministry of the Interior through the CCEG will arrange the necessary actions to ensure the continuity and proper functioning of the networks.
- Transitional governance of Cybersecurity. While the implementation of the new model of national cybersecurity policy is pending, a temporary governance will be defined. This task will be the responsibility of the Ministry of the Interior, who will designate a responsible person who will implement the measures of the National Cybersecurity Policy in terms of transient governance.
A personal data breach or security breach is defined in paragraph 12 of Art. 4 GDPR and implies any destruction, loss, alteration, unauthorized disclosure or access to processed personal data.
Yes. The Central Government has appointed the Indian Computer Emergency Response Team, Ministry of Electronics and Information Technology ("CERT") as the national agency to address cyber incidents including cyber security breaches. CERT's functions include collection, analysis of information on security incidents, forecast and alerts of cyber security incidents, emergency handling measures etc.
The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 ("CERT Rules") have been issued under the IT Act and define: -
(a) "cyber security breaches" to mean "unauthorised acquisition or unauthorised use by a person as well as an entity of data or information that compromises the confidentiality, integrity or availability of information maintained in a computer resource"; and
(b) "cyber security incident" to mean "any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorisation".
CERT has been authorized to call for information and give directions to service providers, intermediaries, data centres, body corporates and any other person for the purposes of, amongst others, analysis of cyber incidents, alerts of cyber security incidents, emergency measures for handling cyber security incidents etc.
“Cybersecurity incidents” is defined by the National Cybersecurity Incident Response Plan (《国家网络安全事件应急预案》), one of the corresponding regulations of the CSL, as the incidents that (1) are caused by man-made reasons, defects or malfunctions of hardware and software, or natural disasters, (2) cause damage to networks, information systems or the data involved therein, and (3) cause negative effects to the society.49 Cybersecurity incidents can be categorized into harmful program incidents, cyber-attack incidents, information or data breach incidents, information or content security incidents, device and equipment malfunctions, disaster incidents and other incidents. Cybersecurity incidents are divided into four levels, i.e., extraordinarily significant, significant, relatively significant and general. The factors deciding the level of a cybersecurity incident include (1) severity of the damage done to critical networks and information systems (e.g., if the damage paralyzes the systems or results in the loss of business processing capabilities); (2) severity of threats on national security and stability of society posed by the loss, theft or tampering with of national secrets, important and sensitive information, and critical data; and (3) severity of other impacts on national security, social order, economic development and public interests.50
49 - National Cybersecurity Incident Response Plan. § 1.3.
50 - National Cybersecurity Incident Response Plan. §1.4.
The current prevailing law and regulations do not specifically address security breach. However, under EIT Law, there are several prohibited actions that may be considered as security breach, among others:
- Unlawful access to computers and/or Electronic Systems of other persons;
- Unlawful acquirement of electronic information and/or electronic records;
- Breaching, hacking into, trespassing into, or breaking through security of Electronic Systems;
- Unlawful alteration, addition, reduction, transmission, tampering with, deletion, moving, and/or hiding of electronic information and/or electronic records of other persons;
- Unlawful move or transfer of electronic information and/or electronic records to Electronic Systems of unauthorised persons; and
- Divulgence of confidential electronic information and/or electronic records to the public.
Based on EIT Law, all of the abovementioned actions are subject to criminal sanctions in the forms of monetary penalty and/or imprisonment.
Yes, and a personal data breach is defined, pursuant article 3(12) of the GDPR, as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Yes. Under the Data Protection Act 2018, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A business should ensure it has robust breach detection, investigation and internal reporting procedures in place to help it determine whether it needs to notify the personal data breach to the relevant supervisory authority (e.g. the Information Commissioner's Office) and the affected individuals about a personal data breach.
A business must keep a record of any personal data breaches, regardless of whether it is required to notify the breach.
A business may also be required to notify a security breach under sector specific laws such as Privacy Electronic Communications Regulations, eIDAS Regulation 2014 and NIS Regulation 2018 for certain service providers.
The term security breach is not used. Instead, the term personal data breach is used in the GDPR and the term incident is used in the NIS Act.
The term ”personal data breach” is defined in article 4 of the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
The term “incident” is defined paragraph 2 of the NIS Act as “an event having an actual adverse effect on the security of network and information systems”.
The HDPA, when it comes to personal data breach incidents, refers to the provisions of the GDPR and to articles 33 and 34 of the GDPR regarding the obligation to notify the breach to the supervisory authority and to communicate the breach to the data subject.
A personal data breach is defined by the GDPR as follows: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Law 2472/1997 do not include any provision concerning personal data breach incidents. The only exception is Law 3471/2006 which provides for a special data breach notification procedure to the HDPA and the Hellenic Authority for Communication Security and Privacy (ADAE) followed by providers of publicly available electronic communications services.
According to Law 3471/2006 a personal data breach is a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed in relation to the provision of publicly available electronic communications services.
Law No. 6698 does not provide an explicit definition of ‘security breach’. Considering the general obligation of data controllers to ensure data security, any event that adversely affect the safekeeping of personal data can be considered as a ‘security breach’ and as a failure to comply with the data security obligations if the necessary measures were not taken to prevent such outcome.
But the Article 12 imposes an obligation to make a notification to the relevant data subject and the Board in the event that the personal data processed be acquired by 3rd parties through unlawful means. As the Law No. 6698 and secondary regulations do not provide any exceptions, thresholds or limitation to this obligation to report a breach, compliance to the provisions of the Law No. 6698 would require the notification of such a breach even if it involves the personal data of a single data subject. Article 12 requires that all data controllers are under the obligation to notify all data breach incidents to the relevant data subjects within the shortest time and to the Turkish Data Protection Authority in 72 hours. As opposed to the GDPR, the Law No. 6698 does not make any distinctions between high-risk and low-risk breaches and the number of individuals affected by the data breach.
The appropriate provisions of the GDPR apply here.
Accordingly, a personal data breach is defined as a breach of security which, whether unintentionally or unlawfully, results in the destruction, loss, alteration, or unauthorized disclosure of or access to personal data.
The French DPA 1978 implements the provisions imposed by the GDPR under which the data controller shall, under certain conditions, report data security breaches to the relevant supervisory authority. The definition of data security breach provided for by the French DPA 1978 refers to the GDPR which defines a data security breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In addition to this general obligation to report data security breaches, there are some sectorial obligations to report data security breaches (whether or not it concerns PII) for:
- Operators of Essential Services ('OES') and Digital Service Providers ('DSP'): they must notify to the Prime Minister any breach having an impact on the operation or security of their information systems. In addition, if the security incident is affecting networks and information systems, they also have to notify the French national information systems security authority ('ANSSI') without delay after becoming aware of the breach. The law does not provide any specific definition of data security breach;
- Telecom operators: the obligation for telecom operators to report data security breaches to the CNIL was introduced in 2011 to implement the Directive 2009/136/CE of 25 November 2009. A security breach in this context is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, disclosure or unauthorised access to personal data being processed in the context of the provision of electronic communications services to the public; and
- Healthcare institutions: they shall report serious information system security incidents to the regional health agency. Serious security incidents are defined as events creating an exceptional situation within an establishment, organisation or service. In addition, if the safety incident is significant, it will also be transmitted by the regional health agency to the competent State authorities. Significant incidents are defined as incidents having a potential or proven impact on the departmental, regional or national organization of the health system and incidents that may affect other institutions, organizations or services.
All states in the U.S., as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted laws requiring notification in the event of a “security breach,” “breach of security” or “breach of security of the system” (collectively referred to here as a “security breach”). These jurisdictions define security breach differently, but generally the definition is dependent on three elements: (1) what types of personal information are protected under the relevant statute, (2) how an unauthorized person interacted with the protected personal information and (3) the potential that the incident could result in harm to the individuals whose protected personal information was involved.
A majority of the jurisdictions with breach notification laws define security breach as involving the unauthorized acquisition of personal information. A small number of jurisdictions, including Connecticut, Florida, New Jersey, Puerto Rico and Rhode Island, define security breach as the unauthorized access to personal information. The remaining jurisdictions define it as both unauthorized access to and acquisition of personal information. No state requires notification to individuals or regulators if an incident has not resulted in unauthorized acquisition of or access to personal information.
Additionally, a majority of the jurisdictions maintain a risk-of-harm analysis, which for some is provided for in the definition of security breach. North Carolina’s law, as a representative example, defines security breach as “an incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer.” Most jurisdictions also maintain an exception in the definition of security breach, which generally states that a good faith but unauthorized acquisition of personal information for a lawful purpose is not a security breach unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
For a small number of states, the definition of security breach includes both computerized/electronic data and paper/hard copy records. For example, Indiana’s definition of “breach of the security of data” includes “the unauthorized acquisition of computerized data that has been transferred to another medium, including paper, microfilm, or a similar medium….”
There are no provisions addressing security breaches.
Article 4(12) of GDPR defines a “personal data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Yes. Under the Data Protection Act 2018, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
An organisation should ensure it has robust breach detection, investigation and internal reporting procedures in place to help it determine whether it needs to notify the personal data breach to the DPC and the affected individuals about a personal data breach.
An organisation must keep a record of any personal data breaches, regardless of whether it is required to notify the breach.
An organisation may also be required to notify a security breach under sector specific laws, such as the ePrivacy Regulations 2011 for certain service providers.
“Security breach” is not defined under APPI. However, as described in detail in our response to Question 19 (below), the Guidelines’ provisions do address security breach, and these are followed by many companies.