Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
Data Protection & Cyber Security
There is no general obligation to notify data subjects, regulators or any other parties of data breaches in a sense that such data breach notification is specified, e.g., in the European law.
Filing of such notifications on voluntary basis is not widespread among companies doing business in Russia. However, there are some other types of notifications.
Notification upon request. Under Russian laws, data subjects have certain rights (see Q.20). If in the course of considering the data subject’s request the data controller finds out that PII is processed unlawfully (i.e. without appropriate legal ground such as consent, contractual necessity etc.), it shall:
- either ensure appropriate legal ground for processing (e.g., request consent) and thereby rectify the violation;
- or if it is not possible - to destruct unlawfully processed PII.
Once this is done, the data controller shall notify data subject of this. Notification should be also filed to the regulator if the request is submitted by the regulator. This is so-called “notification upon request”.
Modernized Convention 108 and expected amendments. On October 10, 2018, Russia has signed a Protocol modernizing Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981), hereinafter – “Convention 108”. Under the modernized Convention 108, the data controller shall without delay notify at least the regulator of data breaches, which may seriously interfere with individuals rights and fundamental freedoms. Convention 108 does not expand further on data breach notification.
It was reported that the regulator has started to elaborate a draft bill to amend the Personal Data Law to incorporate provisions of the modernized Convention 108.
Industry specific notification requirements. Russian laws also set out certain industry specific types of data breach notifications. For example, certain obligations to notify of data breaches are imposed on the players of Russian payment system (financial institutions) as well as on owners of CII facilities (see Q.18), which were assigned a category of importance upon specific classification procedure.
The Data Protection Law does not impose a general duty to notify either individuals or the Data Protection Authority of a data breach. However, even if it does not constitute a legal obligation, Resolution No. 47/2018 recommends reporting a security incident to the Data Protection Authority.
If approved, the Data Protection Bill would introduce an express obligation to report certain security incidents to the Data Protection Authority and the data subjects.
Until the LGPD becomes effective, Brazil does not have a specific provision that requires notification to the regulator or individuals in the case of security breaches, nor an authority for personal data protection. When the LGPD becomes effective, the communication shall be made within a reasonable time, as defined by the national authority.
Despite the fact that data breach notification is only recommended (not legally enforceable), it is assumed and expected that any security breaches that may harm the privacy, the private life and the rights granted to those whose data are being collected, must be informed to the people affected, so that individuals may take action to maintain the privacy of their personal data or information, without extinguishing the provider’s liability for any damages arising from such security breach.
Additionally, the Special Unit for Data Protection and Artificial Intelligence, linked to the Federal Public Prosecutors Office, suggests companies to notify data breaches. For this purpose, the Commission provides a webpage where companies can communicate safety incidents and breaches of personal data.
(i) Notifications under the GDPR
The GDPR requires data controllers to notify the data protection authority about a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects' rights and freedoms. It also requires processors to notify controllers without undue delay after becoming aware of a personal data breach. (Article 33 GDPR).
Under Article 34 GDPR, if the data breach is likely to result in a high risk to data subjects' rights and freedoms, then the data controller must also inform them (without undue delay).
According to Recital 85 GDPR, to assess the risk posed to data subjects' rights and freedoms, an assessment should be made of the potential negative consequences. Although this list is not exhaustive, the GDPR specifies that the potential adverse consequences of a data breach can include material and non-material damage, such as:
- Loss of control over personal data
- Identify theft or fraud
- Financial loss
- Damage to reputation
- Loss of confidentiality.
- the nature of the personal data breach;
- the contact points where more information can be obtained;
- the recommended measures to mitigate the possible adverse effects of the personal data breach.
- description of the consequences of the personal data breach
- the measures proposed or taken by the undertaking to address, the personal data breach.
(ii) Notifications under the CA
The notification under the CA in the event of the specified incidents occurring should be made by the addressees of the CA (see Question 18) to the respective Sectoral Computer Security Incident Response Team (CSIRT) within two hours of identifying the incident and the complete data should be sent within 5 days (Articles 21, para. 4, 5 and 6; 22, 23 CA).
Notifications have to be submitted following the sample form approved in accordance with an ordinance on the minimum scope of network and information security measures, along with other recommended measures to be adopted by the Council of Ministers under Article 3, para. 2 CA. By-law legislation is yet to be adopted.
The CA provides for the possibility also for persons who are not addresees of the CA to conduct notifications to the CSIRT about incidents that affect the integrity of the provided services by them (Article 27 CA).
(iii) Notifications under the E-Communications Act
(a) Under Article 243b E-Communications Act, the undertakings providing public electronic communications networks and/or services shall immediately notify the CRC on each breach of ‘security or integrity, which has significant impacted on the functioning of the networks or services’. The CRC may inform the public or require the undertakings to do that, if it decides that it is in public interest the breach to be announced. The notification procedure is being determined in Appendix No. 4 to General requirements of the Communications Regulations Commission (CRC) in the implementation of public electronic communications. Addressees must provide by using an official form an initial notification to the CRC immediatelty after gaining knowledge of the breach and a final notification after endng of the breach.
(b) Under Article 261c E-Communications Act, in the case of a personal data breach, the undertaking that provides publicly available electronic communications services has to notify the CPDP within three days after the breach has been detected. When the breach is likely to adversely affect the personal data or privacy of a subscriber of publicly available electronic communications services or individual, the undertaking has also to notify the subscriber or individual of the breach.
Notifications are not required if the undertaking has demonstrated to the satisfaction of the CPDP that it has implemented appropriate technological protection measures to protect the personal data concerned by the security breach. Such technological protection measures are present, if they can render the data unintelligible to any person who is not authorized to access it. If the undertaking has not already notified the subscriber or individual of the personal data breach, the CPDP, having considered the likely adverse effects of the breach, may require it to do so. The notification to the subscriber or individual has to at least describe the following:
In the notification of the personal data breach to the CPDP, the undertaking that provides publicly available electronic communications services has to include in addition to the information under Para. (5) also:
The CPDP has issued in accordance with Article 261d E-COMMUNICATIONS ACT an Instruction No. 1 of 21.12.2016. concerning the circumstances in which undertakings that provide publicly available electronic communications services are required to notify personal data breaches to customers, the format of such notification and the manner in which the notification is to be made which provides further specifications with respect to the topic.
(iv) Notifications under the eIDAS
Under Article 19, para. 2 eIDAS Qualified and non-qualified trust service providers shall, without undue delay but in any event within 24 hours after having become aware of the CRC of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein.
Where the breach of security or loss of integrity is likely to adversely affect a natural or legal person to whom the trusted service has been provided, the trust service provider shall also notify the natural or legal person of the breach of security or loss of integrity without undue delay.
(v) Notifications under the LPSPS
A payment service provider licensed by the BNB shall immediately notify the BNB in the case of a major operational or security incident. Where the incident has or may have an impact on the financial interests of payment service users, the payment service provider shall immediately inform the payment service users of the incident and of all measures he takes to limit the adverse effects of the incident. A payment service provider licensed by the BNB shall provide to the BNB statistical data on fraud relating to payments (Article 99 LPSPS).
The payment service provider licensed by the BNB must provide notification to BNB immediately about a major operational or security incident. The payment service provider licensed by the BNB must provide an initial, interim and final notification in accordance with the forms in the Guidelines on incident reporting under PSD2 (EBA-GL-2017-10).
FADP does not explicitly address the duty to notify the FDPIC or the data subjects in case of data breaches. Nonetheless, the FDPIC has established in its practice the duty to notify data breaches based on art. 4 para. 2 FADP (data must be processed with good faith). As there is no explicit obligation and as there are no specific criteria on when a notification is appropriate, the data controller has some discretion when considering a notification. It can be reasonable to consult the FDPIC on a no-name basis in tricky cases in order to get additional advise.
As there is no explicit duty to notify the data subjects about data breaches, companies are rather reluctant regarding such notifications. FDPIC recommends that data subjects be notified in cases in which such notification allows the data subjects to minimize damages, for example by blocking credit cards, by changing passwords.
The notifications of security breaches to the competent control authority are compulsory when they may result in a risk to the rights and freedoms of natural persons, according to article 33 GDPR, which in the case of Spain is the Spanish Data Protection Agency (AEPD). Only when the security breach may result in a high risk to the persons affected, the controller shall communicate the personal data breach to the data subjects, following the rules established in article 34 GDPR.
The Data Privacy Act does not impose any obligations to notify the regulator or individuals of security breaches, because currently in Chile there is no Data Privacy Officer yet.
Nevertheless, there are specific rules regarding banks and data of their clients in which encryption is mandatory and notice of security breach. This regulation is transitory and, it was dictated by the entity that supervises the banks. Currently, the Bill that includes regulation in these matters is pending in Congress.
Furthermore, see answer to question 18 regarding cybersecurity directive to the public sector, issue by the President of Chile.
For controllers, Art. 33 GDPR legally requires the notification of the supervisory authority without undue delay, at least within 72 hours upon becoming aware of a data privacy incident. It must contain the nature of breach as well as the categories or number of persons affected/ data records. Moreover, it must contain the likely consequences and measures planned by the controller. Also, it must involve the name of a contact person, e.g. the DPO.
If the personal data incident causes a high risk to the rights and freedoms of a natural person, the controller must also notify the data subject immediately (Art. 34(1) GDPR). This notification must be made in clear and plain language. The controller, however, shall not be under any obligation to notify the person affected, if the said data is secured and protected from unauthorized access via technical and organizational security measures or if the notification would involve disproportionate effort (Art. 34(3) GDPR). In the last case a public communication or a similar measure can suffice (e.g. publication in the newspaper or on the internet).
Processors shall notify the controller without undue delay about the data breach.
Rules under the IT Act
The requirement to report security breaches may flow from various rules formulated under the IT Act. These include: -
(a) CERT Rules – The CERT Rules require certain cyber security incidents to be mandatorily reported by an individual, organisation or corporate entity affected by such incident. These are: –
(i) targeted scanning/probing of critical networks/systems;
(ii) compromise of critical systems/information;
(iii) unauthorized access of IT systems/data;
(iv) defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites etc.;
(v) malicious code attacks such as spreading of virus/worm/trojan/botnets/spyware;
(vi) attacks on servers such as database, mail and DNS and network devices such as routers;
(vii) identity theft, spoofing and phishing attacks;
(viii) denial of service and distributed denial of service attacks;
(ix) attacks on critical infrastructure, SCADA systems and wireless networks; and
(x) attacks on applications such as e-governance, e-commerce etc.
(b) The Information Technology (Intermediary Guidelines) Rules, 2011 ("Intermediary Guidelines") – The intermediary Guidelines require intermediaries46 to report cyber security incidents47 and also to share cyber security incidents related information with CERT.
Separately, the Privacy Rules require body corporates to share PII or sensitive PII (without first obtaining consent from the Data Subjects) with authorized Government agencies for the purposes of investigating cyber incidents.48
The Privacy Bill has specific provisions pertaining to reporting of data breach and requires data fiduciaries to notify the Authority of any PD breach (relating to PD processed by the data fiduciary) where such breach is likely to cause harm to any Data Subject. The Authority may thereafter require the data fiduciary to report the breach to the Data Subject taking into account the severity of harm that may be caused or whether some action of the Data Subject is required to mitigate the harm.
46 - The term "intermediary", with respect to an electronic record, has been defined under the IT Act to mean "any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes."
47 - The definition of "cyber security incident" under the Intermediary Guidelines is the same as the one provided under the CERT Rules.
48 - "Cyber incidents" is defined in the Privacy Rules to mean "any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation".
Network operators are required by the CSL to report the incident that threatens cybersecurity to competent authority in accordance with regulations.51 The PI Specification further illustrates the circumstances and content of such reporting. After a personal information security incident occurs, the personal information controller should, among other things, report in a timely manner according to provisions in the National Cybersecurity Incident Response Plan. The content of the report should include but not be limited to: type, quantity, content, and nature of PI subject; possible impact of the incident; measures that have been or will be adopted; and contact information of relevant personnel handling the incident.52
51 - CSL. §25.
52 - PI Specification. 9.1 c) 3).
- Reporting Obligation to Relevant Authority
Under the prevailing law and regulation, ESO is not legally required to conduct report of system breach over data protection to the MCI. ESO that suffers data breaches may voluntarily file a complaint to Directorate General of Application Informatics of MCI (“DGAI”) in the event of data breaches. This complaint shall be only intended as an effort to resolve any dispute amicably or other alternative dispute resolutions.
- Reporting Obligation to Personal Data Subject
With regard to notice to the relevant Data Subject, ESO is obliged to provide notice for any incidences of data breaches to the Personal Data Subject (“Notice of Breach”). The Notice of Breach must at least contain the following information: (i) reasonings or causes of the data breaches occurrence; (ii) notice of breach can be submitted electronically provided that the relevant Personal Data Subject has approved such way of submission during the collection of his/her Personal Data; (iii) ensure that the relevant Data Subject has actually received the report if the incidence of data breaches may lead to potential loss; and (iv) a written report shall be submitted to the Personal Data Subject within 14 (fourteen) days after the data breaches came into realization.
Breach notification to the Regulator (CNPD) is required by law and must be made not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification should be made through an on-line form available at https://www.cnpd.pt/DataBreach/ where controllers must provide all the information required under the GDPR.
Breach notification to individuals is required by law only where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject and should be made without undue delay, unless any of the following conditions are met:
a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach and render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
c) it would involve disproportionate effort, in which case, a public communication or similar measure whereby the data subjects are informed in an equally effective manner will be adequate.
Finally, Article 29 Working Party Guidelines on personal data breach notification (WP250rev.01) provides guidance on inter alia assessing the risk and high risk and cross-border breaches that controllers, in the absence of specific laws, regulations and guidelines in their jurisdiction, should have into consideration as these guidelines reflect the position of the European Data Protection Authorities and their interpretation of the GDPR provisions.
The Data Protection Act 2018 introduces a duty on a controller to report certain types of personal data breaches to the relevant supervisory authority.
When a personal data breach has occurred, a business will need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then the business must notify the breach to the Information Commissioner's Office (ICO). If it’s unlikely then the business does not have to report it. However, if the business decides it doesn’t need to report the breach, it will need to be able to justify this decision, and will need to keep a record of the breach, the analysis and the decision not to report.
In addition, if a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the business must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. The business will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, the business will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
The report to the ICO must be made within 72 hours of the controller becoming aware of the breach. If the business decides not to notify individuals, it will still need to notify the ICO unless it can demonstrate that the breach is unlikely to result in a risk to rights and freedoms. The ICO has the power to compel a business to inform affected individuals if they consider there is a high risk.
A business must document the facts relating to the breach, its effects and the remedial action taken. This is part of its overall obligation to comply with the accountability principle, and allows the ICO to verify its compliance with its notification duties.
According to article 33 of the GDPR, the controller is required to notify a personal data breach to the Swedish Data Protection Authority no later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The controller is typically also required to communicate the personal data breach to the data subject without undue delay, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (article 34 of the GDPR).
Further, the NIS Act and the NIS Ordinance require operators of essential services to, without undue delay, notify incidents having a significant impact on the continuity of the essential services they provide and digital service providers to, without undue delay, notify incidents having a substantial impact on the provision of a digital service which they offer within the EU. Such incident reports shall be reported to the Swedish Civil Contingencies Agency. The time limits to report such incidents has been further specified by the Swedish Civil Contingencies Agency, according to the following:
- The operators of essential services/digital service providers shall within six (6) hours from identification of an incident which must be reported, report it and include information about inter alia concerned service, description of the incident, the disorder and consequences.
- The operators of essential services/digital service providers shall within 24 hours from identification of an incident which must be reported, provide the Swedish Civil Contingencies Agency with information about measures to minimise the consequences of the incident.
- The operators of essential services/digital service providers shall within four (4) weeks provide the Swedish Civil Contingencies Agency with information about measures that have been taken and how they will prevent future incidents.
The HDPA, when it comes to a personal data breach, refers to the provisions of the GDPR and in particular, to articles 33 and 34 of the GDPR regarding the obligation of the controller to notify the breach to the supervisory authority and to communicate the breach to the data subject.
According to article 33 of the GDPR, data controllers, in the case of a personal data breach which is likely to result in a risk to the rights and freedoms of natural persons shall without delay notify the breach to the supervisory authority.
Moreover, according to article 34 of the GDPR, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The latter communication of the breach to the data subject is irrespective of the aforementioned notification of the breach to the supervisory authority (which shall take place even when the risk cannot be considered as ‘’high’’). The communication to the data subject shall take place, as much as possible, in an appropriate and effective way, in the form of personalized information rather than a general communication.
It should be noted that in any case, the supervisory authority can order the controller to communicate a personal data breach to the data subject (article 58 par 2 (e) of the GDPR).
Finally, any company can download the official notification form from the website of the HDPA, which shall be completed and sent to it in the case of a personal data breach.
The Law No. 6698 and secondary legislation do not provide any exceptions, thresholds or limitation for a breach to trigger the notification obligation. Consequently, the Law No. 6698 would require the notification of such a breach even if it involves the personal data of a single data subject. Moreover, as opposed to the GDPR, the Law No. 6698 does not make any distinctions between high-risk and low-risk breaches and the number of individuals affected by the data breach.
A personal data breach must be reported by the controller to the Data Protection Authority immediately and at the latest within 72 hours of becoming aware of the violation. The notification must meet certain minimum requirements as to its content, including the nature of breach, category and approximate number of data subjects concerned, categories and approximate number of personal data records concerned, a description of the likely consequences of the personal data breach, name and contact details of any data protection officer appointed.
The French DPA 1978 introduces a duty on controllers to report certain types of data security breaches to the relevant supervisory authority.
This general notification obligation pursuant to the French DPA 1978 provides that the report to the CNIL shall intervene within 72 hours.
If the controller cannot provide all the required information within this time period because further investigations are necessary, the notification may intervene in two stages:
- An initial notification within 72 hours following the violation (if the 72-hour deadline is exceeded, the controller must explain the reasons for the delay) ; and
- An additional notification as soon as the complete information is available.
The CNIL has implemented an online platform available for data security breach notifications (accessible at https://notifications.cnil.fr/notifications/index).
Such notification to the CNIL shall intervene in the case where there is a risk regarding data subjects privacy. The level of risk is self assessed by the data controller. However, in the case of a control operated by the CNIL, it will have to demonstrate that the data security breach was unlikely to result in a risk to the rights and freedoms of data subjects. If such risk is high, the data controller will also have to notify the data subjects. The CNIL has the power to compel a business to inform affected individuals if they consider there is a high risk.
OES and DSP shall notify the Prime Minister of any data security breach irrespective of the level of risk for the data subjects.
Healthcare institutions shall notify the regional health agency of any serious and significant security incidents. Serious incident are considered as (i) incidents with potential or proven consequences for the safety of care (ii) incidents affecting the confidentiality or integrity of health data and (iii) incidents affecting the normal functioning of the establishment, agency or service.
Telecom operators must notify without delay the CNIL of any data security breach.
Any notification to the CNIL must contain the following information in particular:
- a description of the nature of the personal data security breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- the consequences that may occur following the personal data security breach; and
- the measures taken or proposed to be taken by the controller to address the personal data security breach, including, where appropriate, measures to mitigate its possible adverse effects.
In addition, if a personal data security breach is likely to result in a high risk to the rights and freedoms of individuals, the business must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the CNIL. The business will need to assess both the severity of the potential or actual impact on individuals as a result of a data security breach and the likelihood of this occurring. If the impact of the data security breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, the business will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a data security breach.
The notification of the data security breach to data subjects may not be required by the CNIL if appropriate protection measures have been implemented by the business to render the data unintelligible to any person who is not authorised to access it and have been applied to the data affected by the said data security breach.
Currently, there is no single U.S. security breach notification law that applies to all businesses in the U.S. Rather, security breach notification requirements are governed by a patchwork of federal and state breach notification laws. In some instances, a business may be required to provide breach notification in accordance with both federal and state breach notification laws.
Whether an entity must provide notification of a security breach depends on a variety of factors, including (1) the type of business (that is, the sectoral regulatory regime the entity falls under), (2) how “security breach” is defined under the applicable breach notification law, and (3) the type of information involved in the security breach.
Federal laws with breach notification requirements include HIPAA and the guidance and regulations for financial institutions established under the umbrella of GLBA (Interagency Guidelines). HIPAA’s breach notification requirements apply to healthcare entities that meet the definition of “covered entities” or “business associates.” The GLBA Interagency Guidelines apply to certain financial institutions, depending on the applicable regulator for the financial institution.
The definitions of “security breach” and “personal information” vary under state law, as discussed in more detail in Questions 3 and 18 above. Some states require notice to regulators if any individual in that state is notified of a security breach, while other states have thresholds that trigger notice to a state regulator, such as 500 or more individuals impacted.
Some states have additional sectoral notice and regulatory requirements. For example, insurance companies in many states are required to notify the state’s department of insurance of a security breach. In additional, the New York Department of Financial Services (NYDFS) has its own notice requirements for entities that it regulates, including a requirement that licensed entities must provide notice to the New York Department of Financial Services of a security breach within 72 hours of discovery.
If breach notification is not required by law, determining whether to provide voluntary notification is a fact-specific analysis that can be based in part on guidance from regulators but ultimately is a “business decision.” The FTC, OCC, Department of Education and self-regulatory entities, such as the Financial Industry Regulatory Authority, have produced guidance on when certain entities should provide notification of a security breach. In addition, some businesses opt to provide voluntary notification based on the specific facts and circumstances surrounding a data security incident.