With the advent (and multiplication!) of privacy regulations around the world at both national and sub-national levels, it can be hard to know what your obligations and responsibilities are under these laws. These various frameworks are driven by governments, regulators, and other professional bodies and as a result there is little uniformity between the demands of the different schemes. Particularly when you consider the specific cybersecurity requirements that each regulation has in the event of a data breach, it can be hard to know how to be fully compliant.
In this article, we want to eliminate some of this confusion by summarizing the most relevant regulations in the EU, Canada, and the USA, clear up some common myths and misconceptions about breach notifications, and give IT managers an overview of how and when to properly disclose breaches. We also provide a free Data Breach Notification Kit to help you prepare for this possibility, and execute when you need to.
How We Got to Where We Are Today
Privacy fines and concerns about breach notification date back as early as 1996 with HIPAA (Health Insurance Portability and Accountability Act), when healthcare institutions wanted the ability to transfer health data. HIPAA established a set of regulations on how patient information needs to be protected as it moves between systems, as well as fines for failure to protect that data sufficiently.
As time went on, this type of regulatory system was set up for different data types (things like addresses, phone numbers, license plates, and credit card data, to name just a few) and these compliance regimes now extend from the national level down into individual provinces and states.
For the purposes of our discussion, we’ll be talking about some of the most relevant privacy regulations for business based in North America: CCPA, PIPEDA, and GDPR.
PIPEDA (Personal Information Protection and Electronic Documents Act) is a Canadian federal privacy regulation that governs how private sector organizations collect, use, and disclose personal information for commercial purposes. PIPEDA mandates that organizations must obtain an individual's consent for the use of their data, and only use it for the purpose for which it was collected.
Several Canadian provinces have their own privacy legislation that is substantially similar to PIPEDA, and the federal government is working with the provinces to ensure privacy harmonization and interoperability within Canada. Regardless, however, all businesses that operate in Canada and that handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of where in Canada they are based.
Probably the best known and most far-reaching privacy regulation today is the General Data Protection Regulation (GDPR). This is an EU regulatory scheme dealing with data protection and privacy in the European Union and the European Economic Area. Because GDPR is concerned with the transfer of personal data outside the EU and EEA areas, companies or businesses that deal with customers or clients in the Eurozone are impacted by the demands of GDPR. One such demand is the narrow 72-hour window in which a company must report a breach.
GDPR has already had far-reaching consequences not just for companies doing business within the EU, but for the drafting of other privacy legislation around the world, many of which have adopted similar (but not identical) privacy safeguards.
The new kid on the block, California’s Consumer Privacy Act (CCPA) came into effect in January 2020. Similar to the goals of PIPEDA and GDPR, the CCPA aims to enhance privacy rights and consumer protection for residents of California. See our previous posts on security implications of CCPA here.
However, CCPA goes farther in some respects than either of those legislations, allowing any California consumer to see all the information a company has collected on them, as well all the third parties that data is shared with. CCPA also allows consumers to sue companies if the privacy guidelines are violated, even in the absence of a breach.
Companies are subject to CCPA if they capture data on Californians and meet any one of these eligibility requirements:
- Has annual gross revenues in excess of twenty-five million dollars
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information
There are any number of myths swirling around about breach notification and liability under these privacy schemes. Here are the three most common we come across, and our explanation of whether these are myths or actually facts.
Myth #1: Privacy laws aren’t enforced, and fines aren’t happening.
Definitely a myth. Privacy laws are being enforced and there have already been some massive fines assessed.
Privacy fines for all the major regulations we’ve talked about have been enforced since shortly after the regulations went into effect. Governments and regulators have been pretty good about trying to give their citizens and private companies an opportunity to get ready for these types of things and have provided drop-dead dates for when these rules will begin being enforced.
In the case of GDPR, that date was May 25th, 2018. If you look at a graph of enforcement, you can see a spike in fines beginning in January of the following year as the law began to be enforced, followed by enforcement skyrocketing later in the summer of that year and continuing to increase thanks to more frequent fines.
Fines under GDPR have ranged from €17 million to several percentage points of a business’ actual revenue. To date, GDPR-related fines are approaching nearly €500 million. If you look at the reasons for the fines, you'll see that insufficient technical and organizational measures to ensure protection play a big part in why fines are levied against particular businesses.
In the United States, the totals are much higher—closer to $6 billion (yes, with a “b”, billion). The Federal Trade Commission has hit big firms like Facebook, Equifax, YouTube, and Apple with fairly steep fines, which explains the much higher total than in the EU. Facebook and Google, in particular, have been charged the lion's share of these privacy fines for deceptive practices around choice and consent regarding personally identifiable information (PII), as well as the FTC’s belief that they’re using PII unfairly for anti-competitive practice.
Myth #2: I can change my data residency (i.e., host my data elsewhere) so privacy laws don’t apply to me.
I wouldn’t count on this to save you, if I were you.
While data residency might be (or might have been) to your advantage in certain circumstances, with renegotiation of NAFTA these rules have been blurred. NAFTA used to have specific export restrictions on different types of data, including financial and tax information that had to be left in your country.
With the newly negotiated USMCA (USA, Mexico, and Canada Agreement) trade deal, financial institutions (for example) can no longer require use of local computing facilities or force vendors to host data in a particular country. USMCA allows for more freedom to buy hosting and other technology services between the USA, Canada, and Mexico.
There are some exceptions and some gray areas, with protections still in place for things like healthcare information, privileged information such as material protected by attorney-client privilege, and certain kinds of classified government information.
But you should be asking yourself if you can still rely on data residency as a safeguard.
Myth #3: I can’t be fined extraterritorially.
That’s sort of true, for now.
To date, there are examples of attempts to levy extraterritorial fines that have failed. One high profile case was that of AggregateIQ, a British Columbia-based company, that was collecting PII about individuals in the UK and EU. I covered this in the context of GDPR fines for SMBs back in 2019.
Once GDPR came into effect, the EU’s Information Commissioner's Office sent AggregateIQ first a warning and then a €20 million fine for their continued processing of this PII. At the same time, the BC privacy commissioner launched an investigation, the result of which was a determination that AggregateIQ was in breach of GDPR…but which also determined that the BC privacy commissioner had no authority to collect financial penalties for violation of EU law. And the EU’s Information Commissioner's Office had no jurisdiction to collect fines against a company not set up within the EU.
It’s our belief, however, that extraterritoriality as a protection is a temporary condition. With so many privacy regimes coming into effect, it’s probably only a matter of time until extraterritorial fines become a reality so it’s not a strategy with staying power. Not to mention that cooperation between regulators could result in fines from within your territory for related compliance issues.
So, given these realities, what do we suggest as your best strategy to deal with breach notification planning?
- Go through a breach notification response test
Make sure that you practice and can go through breach notification. Why? Mishandling a real breach is a major red flag for regulators and can be a reason that you're found culpable in not following the regulation which can mean increased fines.
What should you do if you lose a USB key? What happens if you get hacked? Walk through these scenarios. Look at services like managed detection and response. Look at vCISO services and see if they can help your organization.
MDR can help you understand what happened and what was accessed in a particular cyber breach, so you don't have to assume the worst and disclose unnecessarily. vCISOs can help you determine who and how to notify when and if the time comes.
- Prepare PII Safeguards as they appear in worst-case regulation—in this case, the GDPR.
Why plan with the GDPR in mind? The rules for GDPR are relatively similar to regulation being produced in 2020 for various states and provinces (e.g.: CCPA, Bill-S4, NY-DFS). Preparing for GDPR makes you ready for the others.
Preparing for GDPR is easier to describe than compliance with multiple regulations if mapped as a subset. It's easier to say, "Look, we did GDPR, and we map it to the rest," than trying to do them all at one time.
And remember: while there is a jurisdictional protection right now, it’s unlikely that will last forever. Where you have offices and personnel (and not where you’re hosted) exposes you to penalty directly. If you’re compliant with the worst-case regulation—GDPR—it can help future-proof your organization should you expand into different territories.
- Talk to a CISO when communicating with customers/auditors
Recognize the grey areas in breach notification.
Making the right (or wrong!) call depends on interpretation by legal professionals and information security officers, and there’s a lot of FUD out there—fear, uncertainty, and doubt.
Auditors may frame questions the wrong way, asking “Where are your people or facilities located?” instead of “Where is your data located?”
When employees are asked or pressured by a customer or auditor, they can sometime misrepresent their own security posture or their own following of the rules. Working with a CISO or vCISO will help ensure that what’s said is correct and accurate, and that issues like contract losses don’t occur due to incorrect information.
Regulations are changing and expanding constantly, with privacy as the overall focus. You may need to comply with these privacy regimes depending on what data you’re collecting, and as a result you need to be prepared for how to notify regulators about a breach should you suffer one.
Remember: fines are enforced for breaches in your jurisdiction, extra-territorial penalties can happen (one way or another), and adjusting your data residency won’t save you in the long run.
So prepare yourself and your organization for what to do if the worst happens and you suffer a breach. Plan against the strictest requirements, the GDPR, to help mitigate your risk. And reach out for help with MDR and a vCISO to detect and respond to cybersecurity threats and determine whether and whom to notify in the event of a breach.
For resources that will help you prepare for and notify of a breach, check out our Data Breach Notification Kit. It includes our Breach Notification Rolodex with specific forms and information for each region in the USA, Canada, and the EU; our Elite SMB Incident Response Guide, to help you plan, test, and respond to a cybersecurity incident; and, our Breach Notification Letter Template - to ensure you convey the right information when you disclose.