If you are a U.S.-based entity that is subject to the EU Data Protection Regulation (GDPR), and you store personal data of EU residents and personally identifiable information of U.S. residents in a commingled database, you may need to revisit your data breach notification procedures.
The Information Commissioner’s Office (ICO) – the UK data protection authority – has issued new guidance stating that in the event of a data breach involving EU individuals’ data, notification may be required even when the data is properly encrypted. This goes beyond the laws of most U.S. states, as well as HIPAA (The Health Insurance Portability and Accountability Act of 1996), which do not require notification in such situations.
According to the guidance, you may be required, under Article 33 of the GDPR, to notify the ICO of a data breach within 72 hours, even if the dataset in question was encrypted. If you can demonstrate that the data was properly encrypted using trusted, industry-standard encryption, you would not need to notify the individuals, per the requirement of Article 34 of GDPR, but you would need to document this decision and inform the ICO of it in your notification.
Under Article 33, if data identifying individuals in the EU was the subject of unauthorized access or use, you need to notify the relevant data protection authority within 72 hours of becoming aware of the breach unless there is no risk to the rights of individuals. You would also need to notify the individuals whose data was compromised, if the breach poses a high risk to their rights.
U.S.-based entities with a database containing both U.S. and EU identifying information face the complicated task of answering all of the following questions and putting the answers into a workable data breach notification process:
Do I notify the EU regulator? Probably Yes
Under the GDPR, the approach is pro-notification and companies tend to err on the side of notification. That is because prompt notification is considered a factor that reduces potential liability in a breach. This was a factor in reducing the fine in a recent enforcement action in Germany.
Do I notify the EU individuals? Maybe
Notifying individuals is also considered a sign of forthright, trust-engendering behavior and is encouraged by regulators. This has led to a number of recent notifications of individuals even in cases where the only information implicated was the individuals’ email address and the fact that they were subscribed to an innocuous online service.
Do I notify the U.S. regulators / individuals? I was hoping not to but…
Unlike GDPR, which requires notification in connection with any breach of personal data, a term that is defined very broadly, most U.S. laws’ notification requirements are triggered when a specific type or subset of information is compromised. Typically, that amounts to a first name or initial and last name, plus a Social Security number or other government identifier, a driver’s license, online bank account access information, or protected health information. If the data in your commingled database is of a type requiring notice under U.S. law, notification would be required.
If, on the other hand, the information compromised requires notification in the EU but does not rise to the level of notification in the U.S., you may be faced with a dilemma, especially when the data pertains, for example, to employees who communicate among themselves.
When do I notify the U.S. regulators / Individuals?
Most U.S. laws require notification “without undue delay.” This has traditionally been defined as roughly 30 to 45 days from breach discovery in many cases, though there are exceptions. If, however, you notified the EU authorities and individuals within 72 hours, and desire to delay notification in the U.S. states to a later time, you would need to be able to show how that meets the “without undue delay” requirement, notwithstanding the EU notification.
[View source.]
