INSIGHT: Was That a Data Breach and Do I Need to Report It?

Technology companies have been making headlines recently over major fines and settlements for failure to notify consumers of a data breach.

While fines and lawsuits are a serious threat, there are also risks to erring too far on the side of compliance. Unnecessarily disclosing a breach can create customer confusion, damage a brand, and compromise customer loyalty.

As a result, in the wake of a security incident, a company should be prepared to answer two fundamental questions. Was that a breach? And if so, does it need to be reported?

While breach notification laws are highly variable and complex, applying the proper framework and a few guiding principles should shed light on a company’s potential disclosure obligations and next steps.

What Laws Apply to Your Data?

The first step, ideally before an incident takes place, is to determine which laws apply.

Health-care companies, financial institutions, telecommunications companies, securities exchanges, and investment advisers are all subject to federal reporting and notification requirements in addition to any applicable state and international laws. Those federal laws will likely drive the disclosure analysis for any company operating in those areas, and a legal expert should be consulted to determine if a company is covered.

Any company that conducts business in a state, or collects, stores, or processes data pertaining to a state’s residents will also be subject to that state’s breach notification laws.

Companies with European customers must comply with the General Data Protection Regulation (GDPR), and companies with international customers in other countries must comply with each of those country’s breach notification laws.

As a result, most companies will be subject to multiple breach notification laws. Once it is clear which laws apply, a company can assess whether the security incident in question rises to the level of a breach under each regime.

Was That a Breach?

Not every intrusion is malicious. Companies often have internal methods for testing security, and industry and privacy experts encourage the use of white hat hackers to test for and report vulnerabilities from the outside.

Breach notification laws would overwhelm companies if every security failure identified through a remediable program qualified as a breach, so not every intrusion counts. Rather, every jurisdiction establishes threshold criteria to determine what constitutes a breach.

1. Personal Data Must Be Involved

One universal requirement is that there be an impact on personal data. The term “personal data” varies under many laws and is often broadly defined, but it can mean anything that identifies an individual, like a name and phone number.

Article 4 of the GDPR, for example, defines “personal data” as “any information relating to an identified or identifiable natural person.” That definition covers the obvious examples, such as a person’s name combined with his or her bank account or social security number, but may also include less obvious data, such as a name and email or IP address. The GDPR’s broad definition of personal data is flexible because various pieces of information that are useless in isolation may identify someone once combined.

Some jurisdictions list the categories of personal information that must be affected for an incident to qualify as a breach, which is why it is important to know which laws apply. Simply put, if there is no personal data involved, there is no breach, at least for purposes of the breach notification laws.

2. Nearly All Breach Notification Laws Have a Safe Harbor for Encrypted Personal Data

All U.S. states and the GDPR offer a safe harbor for encrypted personal data. Under those laws, a breach has not occurred where only encrypted personal data is affected. Encryption is therefore the best method to avoid issuing breach notifications.

3. Access Alone Will Qualify as a Breach in a Few Jurisdictions

If unencrypted personal data is involved, there is some variation as to the level of intrusion required to qualify as a breach. A few states and the GDPR define a breach to include any unauthorized “access” to personal data. In other words, the data need not be taken, only accessed.

Unauthorized access could include the unauthorized use of a person’s credentials to enter a system, for example, through the use of a stolen username and password.

But most jurisdictions require more than just access—the data must be acquired in some way.

When it is not clear whether any data has been taken, you should hire a computer forensic expert to investigate so it is clear whether an “acquisition” breach notification law may apply. In almost every jurisdiction, if unencrypted personal data has been taken, a breach has occurred.

Do You Have to Notify Anyone?

Just because a breach has occurred does not necessarily mean that anyone needs to be notified.

Under Article 33 of the GDPR, for instance, notification is necessary only if the breach is likely to “result in a risk to the rights and freedoms of natural persons.”

Likewise, the state laws that define a breach to include mere access to unencrypted personal data also impose a risk-of-harm analysis before any notification is necessary. And, approximately 40 other states also require a risk-of-harm analysis before consumers must be notified of a breach, even if personal data is taken. The remaining states, including California, do not have that test, so a company must issue breach notifications regardless of the likelihood of harm to the consumer whenever unencrypted personal data is lost.

Given these variations in the law, in many jurisdictions there will be times when no notice is required after a breach, whereas others will compel notice every time, regardless of the circumstances.

With time, we anticipate that industry norms will develop to help companies more quickly determine whether a breach has occurred, and whether it justifies notification under any jurisdiction’s laws. Until then, a company should strive to limit itself to necessary notifications, and gain a better understanding of what security programs are likely to trigger notice obligations by applying the principles and framework above.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Thomas Brown is a partner at Paul Hastings LLP, and is based in the firm’s San Francisco office. His practice is concentrated on privacy and cybersecurity, antitrust, and global banking and payment systems.

Danielle Decker is a senior associate at Paul Hastings LLP and is based in the firm’s San Francisco office. Her practice focuses on broad-based complex commercial civil litigation with an emphasis on intellectual property, business torts, and privacy and cybersecurity.