September 6, 2016
Aug. 30 — A tight 72-hour window to report data breaches in the European Union is of concern to companies due to uncertainties over how the short new time frame will work in practice, privacy professionals told Bloomberg BNA.
The EU General Data Protection Regulation's 72-hour data breach notification requirement is set to take effect in May 2018. But the extent of the burden it imposes will largely be determined by how the GDPR will be interpreted and enforced, they said.
Also of importance will be what specific information various privacy regulators in the EU bloc will require companies to report, they said.
The three-day window “will be extremely difficult to meet,” Wim Nauwelaerts, data protection partner at Hunton & Williams LLP in Brussels, told Bloomberg BNA. “It is important to first find out exactly what happened, and this fact-finding often takes more than 72 hours.”
Michael Bruemmer, vice president of Experian PLC, told Bloomberg BNA that 72 hours may be reasonable, because some U.S. states have similar requirements now. But it is reasonable only so long as EU regulators don't expect a full accounting of the parameters of the breach within that window, he said.
Cédric Burton, privacy and data protection of counsel at Wilson Sonsini Goodrich & Rosati in Brussels, told Bloomberg BNA that if privacy regulators expect breach notice within 72 hours in most situations, it will force companies to prioritize giving notice “while they could better allocate resources, for example, to address the breach and mitigate the risk for individuals.”
The failure to comply with the notice requirement could result in a fine of 10 million euros ($11.29 million) or 2 percent of a company's worldwide revenue, whichever is higher.
EU negotiators Dec. 15, 2015 concluded nearly four years of talks on final text of the GDPR (14 PVLR 2289, 12/21/15). The GDPR replaces the EU's now over 20-year-old EU Data Protection Directive (95/46/EC).
Although U.S. jurisdictions have had data breach notification laws for years—California passed the first in 2003—European companies have never been subject to a mandatory breach notification law that applied to all companies before the GDPR, although the EU has had sector specific breach notice laws. Telecommunications companies are subject to breach notice requirements under 2009 amendments to the EU e-Privacy Directive. The GDPR would be the first EU breach notice law applicable to companies in all sectors.
“The precursor to GDPR is really the U.S. with the advent of the California law and other state laws, and then the federal laws with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act,” Bruemmer said.
Compliance with the GDPR notice requirement could be even more difficult for companies that have to comply with a similar rule in the e-Privacy Directive, mainly for telecommunications and internet service providers. These companies “will need to deal with multiple reporting requirements in a very tight time frame,” Nauwelaerts said.
Article 33 of the GDPR will require data controllers to report personal data breaches to the appropriate privacy regulator “without undue delay and, where feasible, not later that 72 hours after having become aware” of the breach, unless the breach “is unlikely to result in a risk to the rights and freedoms of natural persons.”
When a data processor discovers a breach, it must notify the data controller “without undue delay.”
Multiple privacy attorneys told Bloomberg BNA that notifying privacy regulators within 72 hours could be problematic for companies.
“It will be problematic even if there is a bit of flexibility built into the GDPR,” Burton said.
The law's qualifications for notifying privacy regulators “without undue delay,” and within 72 hours “where feasible,” provide some flexibility, but the extent of the flexibility will depend on how DPAs decide to interpret the law.
“It remains to be seen what exactly regulators expect to be disclosed within the period,” Bruemmer said. Data controllers may not have much of a problem with 72 hour notification if they only need to alert DPAs about an incident and letting them know that an investigation is underway instead of a full accounting of the breach, he said.
Articles 33 requires that the breach notification include:
Determining the nature and likely consequences of the breach could be a very straightforward exercise, if it's a lost spreadsheet or laptop.
“On the other hand, if an incident is the result of hacking, which is increasingly becoming the source of company data breaches, then the information outlines above can be very difficult to obtain early in the investigation,” Bruemmer said.
Lokke Moerel, senior of counsel in the Privacy and Data Security practice of Morrison & Foerster LLP in Berlin, said that determining mitigation measures and identifying what type of follow-up action to take is a time-consuming project. “The reporting needs to be done in a short time which means all those actions need to be decided in this period, and a lot of companies right now are not equipped,” she said.
Burton said EU officials would have been wiser to require notification “once the breach is addressed and the risks mitigated.”
For a preview of the GDPR's breach notice requirement, look to the Dutch experience.
A new breach notification law in the Netherlands took effect Jan. 1. The law requires that data controllers notify the Dutch privacy office of a personal data breach when there is a considerable likelihood of serious adverse effects of data subjects, a higher threshold than the GDPR's requirement.
According to the Dutch DPA, it received more than 1,000 breach notifications in the first 100 days of the law taking effect.
The low breach notice threshold in the GDPR will trigger a large number of notices that will overwhelm “even the most prepared” privacy regulators, Burton said.
Moerel said that the Dutch privacy office didn't hire extra personnel to handle the new notification requirement, and relied on a software tool to determine whether a follow-up action was required. According to the office's own report, follow-up questions were asked in only about 5 percent of the cases, and “we haven't seen a real finding or enforcement based on the notifications yet.” The privacy office wasn't able to review all of the notification and risked turning the law into nothing but a “paper tiger” administrative requirement, she said.
Many EU countries have never been legally required to notify authorities of a data breach, so there will be an especially steep learning curve for inexperienced privacy regulators.
Privacy offices in countries with limited experience in breach notification “may find it challenging to adequately manage the potential high volume of data and to support potential victims,” Adam Palmer, director of international government affairs for Milpitas, Calif.-headquartered data security company FireEye Inc., said.
The number of notifications to privacy regulators will also vary country to country. Regulators in countries that serve as the headquarters for multiple large companies will definitely need to be prepared to receive the most breach notices, Moerel said.
Nauwelaerts said the volume of notifications will largely depend on how liberally regulators interpret the reporting exemptions tied to breaches unlikely to risk the rights and freedoms of natural persons.
One of the unintended consequences to the short notification period is that data controllers will be reporting breaches that, after further forensic analysis, turn out not to be a breach, Bruemmer said.
“The threshold should be higher,” Burton said.
The Article 29 Working Party of EU privacy officials from the 28 EU countries should issue guidance to ensure that the breach notice mandate doesn't overwhelm privacy offices. Moerel said that although the Dutch privacy office issued guidance before its national law went into effect, companies felt that it was insufficient.
EU-wide rather than country-by-country guidance would be helpful because so many data breaches involve issues across borders, Moerel said.
Nauwelaerts said that the European Data Protection Board, which will replace the Art. 29 Party, is also expected to issue guidance to clarify the circumstances in which breach notification is required.
There are a number of steps companies can take to prepare for the GDPR to enter into force in May 2018.
The heavy 2 percent of worldwide revenue that the GDPR prescribes for violations “not only gets the CEO's attention, but the board of director's attention,” Bruemmer said.
Companies should begin planning as soon as possible, privacy professionals agreed.
They also emphasized that companies need to have data breach response plans in place, including breach notification procedures in order to comply with the three-day window.
“When there is a breach, there is little place for improvisation,” Burton said. “You need to act quickly and take the right decisions on the spot.”
“It's really worthwhile to do a tabletop exercise in order to think through how to react in the event of a data breach,” Moerel said.
Bruemmer said that since passage of the GDPR, the level of activity among global companies “to get a pre-breach response plan in place, outside counsel, forensic firms, crisis public relations firms and data breach response vendors” has picked up significantly.
“The question is when a data breach will occur and not if a data breach will occur,” Burton said.
To contact the reporter on this story: George R. Lynch in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.