The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: Can a company send data breach notifications to impacted individuals through email?

Answer: Yes. Most United States data breach notification laws specify the medium that a company must use when notifying individuals about a data breach.  While all states permit notification using a written notice (i.e., United States mail), most states only permit notifying an individual of a data breach using email if one of the following two factors is met:

1) The individual has consented to the use of electronic records pursuant to the E-Sign Act. Under the e-Sign Act an individual must affirmatively consent to the use of email, and be provided with a clear statement concerning their right to opt-out of the use of email in the future.[1]

2) The company maintains its own notification procedure as part of its information security policy, and that procedure permits notification of impacted individuals by email.[2]

Unlike the United States, the GDPR does not directly discuss the medium that a company must use when notifying individuals about a data breach.  The Article 29 Working Party, however, has recognized that email or SMS text messages are forms of “direct messaging” that would transparently communicate to data subjects that a breach has occurred.[3]  If a breach involved the loss of the email of a data subject, however, a company should be cognizant of the fact that the email “channel [of communication] could also be used by attackers impersonating the controller.”[4]  So, for example, an attacker that has obtained the email addresses of customers of a company could send a fictitious phishing email that purports to notify individuals about the data breach and ask them to provide additional categories of sensitive information as part of an enrollment for identity theft restoration services. 

In order to prevent data subjects from being at-risk from phishing emails relating to the breach, companies should consider making clear to data subjects that the company will not request that the data subject provide additional personal data via email or through a link within an email sent from the company. 

1. 15 U.S.C. 7001(c)(1).

2. See, e.g., Cal. Civil Code 1798.82(l).  Approximately 36 jurisdictions in the United States allow a company to follow its own pre-posted data breach notification policy when selecting the format in which notifications are sent.

3. Article 29 Data Protection Working Party, WP250Revo.01: Guidelines on Personal Data Breach Notification Under Regulation 2016/679 at 6 (Feb. 6, 2018) at 21.

4. Article 29 Data Protection Working Party, WP250Revo.01: Guidelines on Personal Data Breach Notification Under Regulation 2016/679 at 6 (Feb. 6, 2018) at 21.

[View source.]