With the rise of technology and interconnectivity across the globe, there is a proportionate rise in the likelihood of a personal data breach, which may severely impact privacy in different parts of the world. This article briefs the breach notification requirements in India, Europe, the United Kingdom, the United States, Canada, and South Africa, and sheds light on the possible approach an organization may consider adopting to address the breach notification requirements.
India
In August 2023, India passed the Digital Personal Data Protection Act (DPDPA). This DPDPA is yet to come into force, and clarity on breach notification requirements is expected from the rules that the government would enact. At the time of writing this article, the applicable data breach-notification requirements in India flow from CERT-IN regulations, which specify twenty types of cyber incidents, including data breaches. As per these regulations, any data breach should be notified to CERT-IN within six hours via e-mail (incidents@cert-in.org.in), phone (1800-11-4979), or fax (1800-11-6969). A breach notification should contain the following: (i) time of occurrence of the cyber incident; (ii) information regarding the affected system or network; (iii) symptoms observed; and (iv) relevant technical information such as security systems deployed, mitigation measures taken, etc. A security incident form is available on the CERT-IN website and this provides general guidance on the relevant information that should be a part of the breach notification.
Europe and the United Kingdom
Europe and the United Kingdom have a comprehensive privacy law – General Data Protection Regulation – which mandates organizations to notify the data protection authorities and individuals within 72 (seventy-two) hours after becoming aware of a personal data breach. In substance, the content of the breach notification is akin to that required under the CERT-IN regulations and the US breach notification laws. There are, however, certain requirements/ exceptions that organizations are expected to consider before proceeding with the notification process:
i. If it is not possible to provide all the relevant information at the same time, the information may be provided in phases without undue further delay. [Article 33(4) of the EU GDPR]
ii. An organization should document the facts about the personal data breaches, the effects thereof, and mitigation and remedial measures adopted to help the data protection authorities verify the organization’s compliance with the breach notification requirements under the GDPR. [Article 33(5) of the EU GDPR]
iii. Breach notification may not be required in the following scenarios: (a) if appropriate technical and organizational measures are applied to the personal data subject to breach thereby making the data unreadable by an unauthorized person; (b) if measures are taken to ensure that the personal data breach does not pose a high risk to the rights and freedoms of individuals. Further, if the breach notification requires disproportionate efforts from the organization’s side, the organization may issue public communication or similar measures to ensure that the affected individuals are informally informed in an equally effective manner. [Article 35 of the EU GDPR]
Canada
In addition to the federal privacy law – Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada has provincial privacy laws. Nevertheless, only Alberta and Quebec require organizations to issue breach notifications. An organization subject to PIPEDA is required to notify the Office of Privacy Commissioner (OPC) and the individuals if a personal data breach presents or may present a real risk of significant harm to the individuals. OPC has made available a breach notification form on its website, which contains guidance and the content requirements for a breach notification. Further, there is no specific timeframe for breach notification under the PIPEDA or the provincial privacy laws, rather organizations are required to notify as soon as possible. In respect of the provincial privacy laws, the contents of the breach notification are substantially like those provided under the PIPEDA.
South Africa (SA)
In South Africa, the Protection of Personal Information Act (POPIA) requires organizations to notify the information regulator (SA’s data protection authority) and the individuals identifiable with the data involved in a breach of security. Further, POPIA requires the provision of sufficient information in the breach notification, including information on the potential consequences of the breach, the mitigation measures that organizations have adopted and the individuals may adopt, and the identity of the unauthorized person who may have accessed the personal data (if known). A breach notification form is made available by the Information Regulator for breach notification purposes.
United States
The United States does not have a federal privacy law. Rather, numerous state breach notification laws specify the breach notification requirements. Notification may have to be sent not just to the affected individuals, but also to the state attorney general and/ or the consumer reporting agency.
Most of these laws require notification to be provided to individuals as expeditiously as possible, and the maximum timeframe for notification varies under these laws. Of all these laws, Puerto Rico’s breach notification law provides for the shortest timeframe for breach notification, which is 10 days from the time of detection, followed by Vermont’s breach notification law which provides for 14 business days from the date of discovery of the breach. Other breach notifications or personal data protection laws in the United States have adopted relatively liberal but different breach notification windows (for example, a maximum of 30 days under Washington breach notification law; a maximum of 60 days under Delaware breach notification law; a maximum of 45 days under Oregon privacy law; a maximum of 90 days under Connecticut privacy law).
Certain state breach notification laws in the US exempt organizations from compliance with notification requirements under those laws if the organizations have their own breach notification policies. In this case, the timeframe for notifying the breach shall continue to apply. In other words, organizations should be able to notify about the breach within the timeframes prescribed under the respective breach notification laws in the US.
Further, the breach notification content requirements under these laws, although they may appear substantially similar, are likely to vary. Organizations may have to specifically consider the content requirements when a particular US breach notification law does not allow the organizations to follow their own breach notification policies. To prepare an appropriate breach notification draft in line with the laws that do not allow the organizations to rely on their own policies, an organization, besides other information, may consider the inclusion of the following information:
i. Details of the organization(s) that has experienced data breach;
ii. Description of the (a) nature and cause of the breach; (b) categories of personal data, including sensitive personal data, that are, or likely to have been breached;
iii. Details of the relevant point of contact for individuals and authorities to obtain more information about the breach, as and when required;
iv. Description of the date of the breach, and number of individuals actually or potentially affected;
v. Measures to contain, mitigate, remediate, and prevent the recurrence of the breach;
vi. Steps that individuals can take to mitigate the breach and protect themselves from identity theft;
vii. Any services related to the breach being offered or scheduled to be offered, without charge, by the organization to individuals, and instructions on how to use the services;
viii. Any knowledge of foreign country involvement;
ix. Advice that directs the individuals to remain vigilant by reviewing account statements and monitoring free credit reports;
x. Contact information for consumer reporting agencies;
xi. Advice to the consumer to report suspected incidents of identity theft to local law enforcement or the attorney general; and
xii. Whether notification was delayed because of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.
In addition to the above, the breach notification law in Massachusetts specifies that the notice to affected individuals should include: (i) individuals’ right to obtain a police report; (ii) how they may request a security freeze and the necessary information to be provided when requesting the security freeze; (iii) the fact that security freeze will be done at no cost; and (iv) other mitigation services to be provided under the law. However, the notice provided to the affected residents of Massachusetts should not include the nature of the breach of security, unauthorized acquisition or use, and the number of affected individuals.
Conclusion
Organizations may have to decide if a breach should be notified or not based on several factors, including the gravity of the data breach and the risk of harm that a personal data breach poses to the individuals’ privacy rights. On the face of it, the information that forms part of a breach notification under the relevant laws in the foregoing regions is substantially similar. An organization may adopt a common approach to amass all the information relevant to the breach and restructure the consolidated information in accordance with the breach notification requirements in the foregoing regions. However, the methods of, and the timeframe for, issuing breach notifications (for example, using a breach notification form in Canada or South Africa) may vary. Accordingly, organizations may consider adopting a customized approach to address these diverse breach notification requirements.
About the author: Sandeep G is an Associate at NovoJuris Legal.