In this article we will try to understand what constitutes a data breach, what are the laws in various countries relating to data breach disclosures, what are the laws in various countries relating to data breach penalities, what are the prevalant regime of data breach penality in practice.
Data Breach
Wikipedia Definition – “A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.” Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. HIPAA privacy rule covers health information should be securely stored and not revealed to people who are not authorised to receive it.
Notification Laws
In the US, each state has its own law relating to how and when data breaches should be notified. Generally, the time to notify consumers of a breach of personal information is ‘most expediently time possible, without unreasonable delay’. In a few states including Arkansas, Colorado, Connecticut etc. there are exemptions for immaterial breaches. Most states exempt breaches of encrypted personal information. In most states, civil or criminal penalties can be brought about for failure to promptly notify customers of a breach.
In the EU, E-Privacy Directive is an EU directive on data protection and privacy. In the UK, the Information Commissioner’s Office (ICO) is tasked with enforcing this directive. The Data Protection Act was enacted by UK parliament as a response to the EU directive. According to the ICO’s website:
” Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should be brought to the attention of his Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA. ‘Serious breaches’ are not defined.’
Data Breach Penalities
The UK government has paid around 2 million pounds in data breach penalities last year. According to this article, “monetary penalties have been enforced in less than one per cent of the data losses [the ICO] has dealt with.” It also noted that “This combined with the modesty of some of the fines that were imposed, might lead to companies simply risking the fines as an alternative to doing the right thing”
The US is said to be working towards standadized penalities for data breaches. Some of the big penalities imposed in the US include Google which paid $22.5 million to the US Federal Trade Commission (FTC) to dispose of charges that it “misrepresented privacy assurances to users of Apple’s Safari browser.
In the US, penalities under HIPAA for violation of personally identifiable health information – From $100 to $50,000 or more per violation with a cap of $1,500,000 per calender year. A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment.
Information Security, SSAE 16, ISO 27001, CISA, Cert-IN