What is Data Breach Notification?
Data breach notification has been an increasingly important factor in the face of cyber security over the last decade. It is the process of informing data subjects about the loss, inappropriate disclosure, or authorization of access of personal data in the possession of an organization. Properly executed, data breach notification serves the purpose of allowing individuals to take the necessary steps to protect themselves from harm.
Data breach notification is a legal requirement in most jurisdictions when a data breach which compromises the personal information of individuals occurs. The notification must be made to each of the individuals whose data has been accessed and in some cases, it is also necessary to inform local authorities, such as a data protection agency, of the incident.
The Legal and Regulatory Environment of Data Breach Notification
Data breach notification legislation did not exist in most jurisdictions 10 years ago and businesses have largely had to play catch up with regards to compliance. As a consequence, the legal and regulatory environment of data breach notification is constantly becoming more complex.
In Europe, the General Data Protection Regulation (commonly referred to as the GDPR) is seen as the most comprehensive piece of legislation on data protection. The GDPR introduces mandatory data breach notification in Article 33, which requires organisations to make an initial notification to the competent supervisory authority within 72 hours of the breach being identified. In some circumstances, the organisation must also make a notification to those individuals whose personal data was affected.
In the US, data breach notification is regulated by a combination of state and federal laws. Most states have adopted their own data breach notification laws, most of which require a business to notify affected individuals and/or the state Attorney General if a breach of personal information has occurred. The Health Insurance Portability and Accountability Act (HIPAA) however, is considered to be the primary federal law on data breach notification in the US. The HIPAA Breach Notification Rule requires healthcare organisations to provide timely notice to individuals and the Office for Civil Rights (OCR) regarding any unauthorised access, disclosure, or acquisition of personal health information held by their organization.
Data Breach Notification Procedures
It is essential that organisations have procedures in place to timely identify and investigate potential data security incidents. Depending on the nature of the incident and the results of the investigation, affected individuals may need to be notified. Therefore, businesses should have a data breach notification process in place which outlines the steps to be taken once a breach has been identified.
Data breach notification procedures should cover topics such as:
• Establishing a breach response team
• Establishing clear roles and responsibilities
• Determining the course of action
• Initiating the notification process
• Contacting impacted individuals
• Documenting each step in the process
• Ensuring compliance with relevant regulations
Data breach notification procedures should also be regularly reviewed and updated to ensure compliance with current regulations. Additionally, businesses should train personnel on the procedures and provide on-going awareness education to relevant staff.
Data breach notification is an important element of data security and privacy compliance. Regulations around the world are becoming more complex and businesses are tasked with ensuring they have the procedures and processes in place to identify and investigate potential data security incidents. Through the implementation of an efficient data breach notification process, organisations can ensure that the necessary steps are taken to inform the affected individuals and regulator of any such incidents.