California’s famous SB1386 bill of 2003 pioneered mandatory data-breach notification across the United States, spurring a decade of unprecedented corporate spending on information security. Europe has imported this idea into its landmark General Data Protection Regulation (GDPR). Now, US multinationals will need to update their US privacy incident-response playbook in at least 10 areas in order to be ready for the GDPR’s May 2018 compliance deadline.
When taken together, these 10 points represent a very different model — and one from which its own unique dynamics are sure to emerge. US multinationals planning to make only minor modifications to their US privacy incident-response policies, and anticipating just assigning this responsibility entirely on their US response teams, are underestimating the level of effort to effectively manage their risks. Let’s take a look at these 10 areas:
The standard criteria triggering a data-breach notification in the United States is the “unauthorized access or acquisition” of a limited set of sensitive-personal data elements such as Social Security numbers and credit card numbers. The GDPR defines it more broadly as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” The EU, in turn, defines “personal data” as any data that can be directly or indirectly associated with a living individual – a very broad scope that now includes, for example, IP addresses.
In spite of the much lower threshold that constitutes a data breach under the GDPR, the new law sets a much higher standard for which of these breaches must be reported. Only those that pose a risk of harm to individuals’ “rights and freedoms” must be reported, a concept mostly nonexistent in US data-breach laws.
The GDPR’s safe harbor for strong security measures is broader than its US equivalent. The GDPR provides that “if appropriate technical and organizational measures” were in place to protect the data – specifically calling out data encryption – the company does not need to report the breach. In the US model, the safe harbor for non-reporting is generally limited to data that is encrypted in storage and transit.
In the United States, companies experiencing a notifiable data breach must generally notify affected individuals in an expedient manner, with small handful of jurisdictions requiring definite timetables ranging from five to 30 days. Companies experiencing a notifiable breach of EU personal data after May 25, 2018, however, must make notifications “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” Recognizing companies may not know many definitive facts within 72 hours of detecting an incident, the GDPR authors allow that notifications “may be provided in phases.”
The US model centers on the notification of affected individuals, with many state attorneys general and federal agencies adding mandatory notification of them as well. The GDPR establishes a simpler, two-track model. If a breach of EU personal data poses a risk to the rights and freedoms of individuals, the company must notify its lead data-protection authority (DPA). If the breach poses a high risk to individuals, the company must also notify them.
Several US states and some federal agencies specify what companies should and shouldn’t include in data-breach notification letters. The GDPR establishes a common standard that doesn’t exist in the United States. EU data-breach letters must specify the nature of the data categories compromised, the number of data subjects affected, the name of the company’s data protection officer (DPO), contact information for individuals to learn further information, likely consequences for the data subjects, and measures taken to reduce risk to individuals.
While US laws don’t require companies to offer remedies such as credit monitoring to individuals affected by a data breach, most almost always do in order to meet a public relations expectation. For its part, the GDPR does not require companies to provide any such remedy to data subjects. The credit-monitoring marketing itself is more limited in Europe because of the impact of data-protection laws on sharing personal data, making it less likely that this remedy will emerge soon even as a public relations expectation.
Several US state attorneys general and the US Department of Health and Human Services maintain a public-facing website listing of data breaches reported to them. This websites can magnify the brand impact of a data breach over an extended period of time. The GDPR doesn’t require that any EU stakeholder maintain a similar website. It does, however, require EU data-protection authorities to maintain public lists of data-protection impact assessments, setting an important precedent.
In the US model, the burden of holding third parties accountable to providing timely notification of breaches to their clients falls largely on the clients’ contracting and vendor-management processes. The GDPR shifts the compliance burden to the third-party data processors themselves, requiring them to report to clients data breaches involving their clients’ data “without undue delay after becoming aware.”
US privacy incident-response playbooks often include a post-mortem process for continuous improvement as a matter of best practice. Few, if any, US laws require this step, however. The GDPR breaks new ground by requiring companies who have experienced a data breach to document the facts relating to the breach and remedial action taken to prevent a reoccurrence.
As noted above, the GDPR represents a very different model from US privacy laws. The US multinationals that best succeed at staying off of the radars of EU privacy regulators are those that will be able to equip, train, and test an EU first-response team on an EU privacy incident-response playbook well ahead of the May 2018 deadline.