Models of data breach notification laws

51.14 There are a number of proposed or established models for data breach notification laws. California was the first US state to require the reporting of data breaches involving personal information. The Californian law has been a model for legislation passed in over 30 US state legislatures and there are moves to implement a national notification standard concerning compromised data.^[22] While many US states adopt very similar provisions to the Californian law, some set a different test of when notification will be required.

51.15 While organisations are subject to differing data breach notification requirements, depending on their state of operation, all financial institutions in the US are subject to the data breach notification requirements set out in the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, issued by the US Department of Treasury and other agencies (US Interagency Guidance). The US Interagency Guidance interprets the requirements of the Gramm-Leach-Bliley Act of 1999 (US), which regulates all financial services institutions in the US, to develop and implement a response program ‘to address unauthorized access to, or use of customer information that could result in substantial harm or inconvenience to a customer’.^[23] The US Interagency Guidance only applies to financial services institutions, and does not apply to other organisations or federal or state government agencies.

51.16 In Canada, only the province of Ontario requires notification after a security breach.^[24] There also have been moves at the federal level in Canada to introduce a data breach notification law. The Canadian Internet Policy and Public Interest Clinic (CIPPIC) issued, in January 2007, a White Paper, Approaches to Security Breach Notification, which puts forward a model law for Canada. In addition, the review of the Personal Information Protection and Electronic Documents Act 2000 (Canada) (PIPED Act), by the Canadian Government Standing Committee on Access to Information, Privacy and Ethics, considered the issue of breach notification. The Committee recommended that the PIPED Act be amended to include a breach notification provision requiring organisations to report certain defined breaches of personal information holdings to the Canadian Privacy Commissioner. The Canadian Privacy Commissioner would then determine whether affected individuals and others should be notified and, if so, in what manner.^[25]

51.17 In 2007, Australian Democrats Senator Natasha Stott-Despoja put forward a Private Members Bill amending the Privacy Act to require agencies and organisations to report data breaches where there has been a confirmed or reasonably suspected breach of data security—defined to mean the unauthorised acquisition, transmission, disclosure or use of personal information involving an unauthorised party. Notification would be required as soon as possible after the breach,^[26] and must include a description of the breach, the action taken by the agency or organisation to recover the information and measures taken to prevent a re-occurrence of the breach. The Bill also required the agency or organisation to maintain a register of notifications made and the action taken to comply with the obligations under the Bill.^[27]

51.18 In April 2008, the Office of the Privacy Commissioner (OPC) released a consultation paper seeking stakeholder views on a draft Voluntary Information Security Breach Notification Guide developed to assist agencies and organisations to ‘respond effectively to an information security breach’.^[28] The OPC noted the ALRC’s proposal in the Discussion Paper, Review of Australian Privacy Law (DP 72), to amend the Privacy Act to include a data breach notification provision. It stated that the voluntary guidelines are not intended to be a substitute for further legislative action, but are aimed at encouraging voluntary action to address these issues while legislative change is under consideration. The draft Guide suggests that agencies should consider notification where the security breach creates a real risk of serious harm to the individual. A notice should include: a description of the incident; the response of the agency or organisation to the breach; what assistance will be offered by the agency or organisation to the individual; whether the OPC has been notified; and how a complaint can be lodged with the OPC.^[29]

51.19 The OPC voluntary guidelines are based on similar guidelines issued in 2007 by the Privacy Commissioners of Canada and New Zealand.^[30] The Privacy Commissioners of British Columbia and Ontario also have issued a ‘Breach Notification Assessment Tool’ to assist organisations in determining what steps should be taken in the event of a privacy breach. The New Zealand Privacy Commissioner has indicated that amendments to the Privacy Act 1993 (NZ) to introduce mandatory breach notification should be considered in the future.^[31]

51.20 While there is a similarity of purpose to the above laws, they adopt a variety of approaches on key areas such as the triggering event, exceptions to the notification requirement and responsibility to notify. The following section focuses on the key approaches taken in data breach notification laws in California and other US states, the US Interagency Guidance and the CIPPIC proposal in Canada.

Trigger for notification

51.21 In California, the event that triggers the obligation to provide notice is any ‘breach of the security of the system’, which is defined as the ‘unauthorised acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency’.^[32] A good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency does not constitute a breach of the security of the system, ‘provided that the personal information is not used or subject to further unauthorised disclosure’.^[33] This is said to provide an exception to the general obligation to notify for ‘harmless internal breaches’.^[34]

51.22 The Californian triggering event of any ‘unauthorised acquisition’ of computerised data sets quite a low threshold for notification. It requires notification even if the organisation considers it very unlikely that the personal information acquired could give rise to a risk of harm or identity theft. While this triggering event has been followed in a number of other US states,^[35] some have adopted a higher threshold for notification. For example, the Indiana Code requires notification where there has been unauthorised acquisition of personal information ‘if the database owner knows, should know, or should have known that the unauthorised acquisition constituting the breach has resulted in or could result in identity deception, identity theft or fraud affecting the Indiana resident’.^[36] Other US states provide an exception to notification if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to customers.^[37]

51.23 In its approach to defining the triggering event, the US Interagency Guidance gives the relevant organisation greater discretion to decide whether notification is necessary. The US Interagency Guidance provides that when an institution becomes aware of an incident of unauthorised access to sensitive customer information, the institution should conduct a reasonable investigation to determine promptly the likelihood that the information has been, or will be, misused. If the institution determines that misuse of the information has occurred or is reasonably possible, it should notify affected customers as soon as possible.^[38]

51.24 In its proposed model for Canada, the CIPPIC picked up on the Californian triggering event of ‘acquisition or reasonable belief of acquisition by an unauthorised person’. The CIPPIC argued that this standard ‘is higher than mere “access by an unauthorised person”, but lower than standards that incorporate a “risk of identity fraud” element’.^[39] The CIPPIC suggested that:

The test should be designed to avoid notification obligations where the breach does not expose individuals to a real risk of identity theft, but to apply in all situations where such a risk is created.^[40]

Definition of ‘personal information’ in data breach notification laws

51.25 The data breach notification laws in each state define the type of personal information that, when leaked, may give rise to the obligation to notify. For the purpose of data breach notification, the definition of ‘personal information’ tends to focus more on the combination of certain pieces of personal information rather than providing a broad definition like that provided in the Privacy Act. References to ‘personal information’ in the context of data breach notification, therefore, are not meant to refer to personal information as defined in the Privacy Act.

51.26 The general approach adopted in a number of states, including California, is to define personal information as an individual’s first name (or initial) and last name, in combination with any of the following:

• social security number;

• driver’s licence number or state identification card number; or

• account number, credit card number or debit card number in combination with any necessary security code, access code or password that would permit access to the account.^[41]

51.27 Some US states include medical information in the definition of ‘personal information’. For example, the Delaware code defines ‘personal information’ as including ‘individually identifiable information, in electronic or physical form, regarding the Delaware resident’s medical history or medical treatment or diagnosis by a health care professional’.^[42]

51.28 The CIPPIC’s proposed law for Canada defines ‘designated personal information’ in a similar manner as California, although it includes the combination of an address by itself (that is, without a name as well), with other sensitive information within the definition of ‘designated personal information’. The CIPPIC justified this approach on the basis that ‘it is relatively easy to obtain a person’s name from an address, using phone books, online databases and search engines’.^[43]

51.29 Under the Californian definition and that of a number of other US states, personal information does not include ‘publicly available information that is lawfully made available to the general public from federal, state, or local government records’.^[44] The US Interagency Guidance, however, outlines that it would be inappropriate to exclude publicly available information from the definition of sensitive customer information, where the publicly available information is otherwise covered by the definition of customer information. For example, while a personal identifier, such as a name or address, may be publicly available, it is sensitive customer information when linked with particular non-public information such as a credit card account number.^[45]

Exceptions

Encryption

51.30 Most states that have data breach notification laws, including California, do not require notification where the personal information that was the subject of the unauthorised acquisition was encrypted.^[46] Some US states specify that the exception does not apply where the encryption key also was acquired.^[47] The CIPPIC model also made an exception for encrypted data.^[48]

51.31 In contrast, the US Interagency Guidance rejected a blanket exclusion for encrypted data because ‘there are many levels of encryption, some of which do not effectively protect customer information’.^[49]

51.32 To address the differing standards of encryption and provide more guidance to organisations, some US states define encryption in the relevant statute. For example, the Indiana Code provides that data are encrypted for the purposes of the data breach notification law if data:

(1) have been transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or

(2) are secured by another method that renders the data unreadable or unusable.^[50]

51.33 Others US states give the organisation discretion to determine what constitutes valid encryption under the statute.^[51] As the CIPPIC explains, this ‘provides latitude to organisations in selecting encryption applications that suit them’.^[52]

Redaction

51.34 Some US states also provide an exception to notification for data that are redacted. Redaction can refer to a variety of practices. In Indiana, redaction is defined as data that are altered or truncated so that not more than the last four digits of a driver’s licence number, stated identification number, or account number, are accessible as part of personal information.^[53] The CIPPIC proposal for a Canadian data breach notification law also proposes exceptions for ‘information that is redacted or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable by unauthorized persons’.^[54]

Responsibility to notify

51.35 In all US states and in the US Interagency Guidance, the responsibility for deciding whether notification is required following a breach in the security of the system rests with the organisation itself.^[55] The CIPPIC adopted a similar approach in its proposed model for Canada, providing that organisations should have the responsibility for determining whether the standard for breach notification is met.^[56] The CIPPIC acknowledged that generally the affected organisation is in the best position to calculate the associated risks of a breach of its information security and should be entrusted with this determination.^[57]

51.36 In all the proposed models considered by the ALRC, notification of the security breach was required to any individual affected by the breach.^[58] In addition to notifying individuals affected, some US states require that the organisation notify the relevant consumer protection agency.^[59] The US Interagency Guidance provides that an institution should notify its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorised access to, or use of, ‘sensitive personal information’.^[60] Similarly, the CIPPIC recommended in its proposed model for Canada, that

there should be a requirement that every breach involving defined personal information be reported to the Privacy Commissioner, with full information about the nature and extent, the anticipated risks, mitigation measures, steps taken to notify affected individuals or, where notification is not considered warranted, the justification for not taking this step.^[61]

51.37 Under the CIPPIC model, notice should be made to the Privacy Commissioner regardless of whether the test of individual notification is met. This would ensure that a record is kept of all security breaches, which provides oversight of organisational practices and ‘offers the potential for organisations to obtain guidance from the Privacy Commissioner regarding notification obligations and methods’.^[62] The CIPPIC also proposed that government agencies, credit bureaus and law enforcement authorities should be notified. The CIPPIC envisaged that the Privacy Commissioner would provide guidance to organisations as to which agencies should be notified in the context of a specific breach.^[63]

Timing, method and content of notification

Timing of notification

51.38 In California, and most other US states with data breach notification laws, notification must occur in ‘the most expedient manner possible and without unreasonable delay’.^[64] The US Interagency Guidance provides that an institution must notify an affected customer ‘as soon as possible’ after concluding that misuse of the customer’s information has occurred or is reasonably possible. Most US states, and the US Interagency Guidance, allow for delays in, or exceptions to, notification if notice will jeopardise a law enforcement investigation.

51.39 The CIPPIC proposal for Canada adopted a similar approach. It proposed that notification should be undertaken ‘as soon as possible and without unreasonable delay after the occurrence of the breach, except where a law enforcement agency has made a written request for a delay’.^[65]

Method of notification

51.40 The general approach of US state data breach notification laws is to describe the method of notification. For example, the California Civil Code provides that notice may be provided by written notice and electronic notice.^[66] Other US states also allow notice by telephone or facsimile.^[67]

51.41 California also provides for substituted notice where: the organisation demonstrates that the cost of providing notice would exceed $250,000; affected class of subject persons to be notified exceeds 500,000; or the agency does not have sufficient contact information. Substituted notice consists of: email notice, where the organisation has an email address for the subject persons; conspicuous posting of the notice on the organisation’s website page, if the organisation maintains a website; and notification to major statewide media.^[68]

51.42 Most US states have developed similar substituted notice schemes to handle large security breaches.^[69] While the threshold and methods for substituted notice vary among states, a number of US states have adopted the same requirements as California.^[70] In contrast to these approaches, the US Interagency Guidance prescribes a more general requirement that notice should be delivered ‘in any manner that is designed to ensure that a customer can reasonably be expected to receive it’.^[71]

51.43 In the CIPPIC’s proposed model, notification ‘should generally be by regular mail, but electronic and substitute notice should be permitted when certain conditions are met’.^[72] In particular, email notice should be allowed only where the individual concerned has consented explicitly to receiving ‘important notices such as this by email’. Substituted notice should be permitted where ‘large numbers of individuals (eg, over 100,000) must be notified, where the total cost of individual notification is extraordinary (eg, over $150,000), or where the Privacy Commissioner has specifically approved the substitute notice’.^[73] The CIPPIC proposed similar substituted mechanisms as provided in the Californian data breach notification law.

Form and content of notification

51.44 California does not specify the contents of the actual data breach notice. In contrast, other US states and the US Interagency Guidance provide detail on what should be covered in a notice. The general approach is to require the following information:

• a general description of what occurred, including the time and date of the breach and when it was discovered;

• the type of personal information that was the subject of the unauthorised access, use or disclosure;

• contact information for affected individuals to obtain more information and assistance; and

• a reminder of the need to remain vigilant and to report promptly incidents of suspected identity theft to the organisation.^[74]

51.45 In its proposal for a Canadian data breach notification law, the CIPPIC proposed that breach notices include similar matters as set out above. It also suggested that the notice

should be separate from other communications and should include detailed information about the breach, including an assessment of the risk that the personal information of affected individuals will be used in an unauthorized manner.^[75]

Penalties for failure to notify

51.46 Some US states provide penalties for failure to make a disclosure or notification in accordance with the applicable law. For example, the Indiana Code provides that any person that fails to comply with the data breach notification law ‘commits a deceptive act that is actionable only by the Attorney General’.^[76] The Attorney General may bring an action to obtain an injunction or a civil penalty of not more than $150,000 per deceptive act.^[77]