For U.S. companies subject to the GDPR, figuring out breach notification obligations is about to get even harder as the GDPR adds another layer of complexity to the existing patchwork of 50 different state breach notification laws and several federal ones.

The GDPR will come into force on May 25, 2018, and it will apply to thousands of U.S. companies that use or store the personal data of individuals living in the EU.  Not only does the GDPR create new obligations on how such data is handled, it also requires breach notification in circumstances that some U.S. laws would not, and with much shorter deadlines.

In the U.S., most companies are subject to state breach laws that generally provide for notification to affected individuals if their personal information has been compromised.  Depending on the state, personal information usually includes things like name, social security number, medical information, financial account numbers, etc.  The U.S. state laws usually cover only unauthorized access to the data, not loss of availability of data.  Primary notification is required to the affected individuals, and usually to the state government only if the compromise involves the personal information of hundreds or thousands of persons.  In most cases, the notification must be provided in time periods that are measured in weeks, not days.

The GDPR notification rules are, in some ways, much stricter.  The GDPR has a broader definition of personal data, which may include things like IP addresses and location data.  The definition of breach encompasses not only hacking, but accidental unauthorized access to personal data (including if one accidentally emails personal data to the wrong person, or leaves one’s personal information in a taxi) as well as availability breaches, where data was not accessed, but rather rendered unattainable (e.g., encrypted by ransomware).  In addition, the primary notification obligation is to the government, not individuals, and the government may decide that notification to individuals is necessary where it is not otherwise required under the GDPR.  Finally, there is a short 72-hour notification deadline to inform the competent authority after the data controller becomes aware of the breach.

In February, the Article 29 Working Party (WP29) adopted a revised version of the “Guidelines on Personal data breach notification under Regulation 2016/679” first published in October 2017 and clarified a few aspects of the GDPR breach notification obligations:

  • Controller’s obligation to become aware of a breach: The trigger for the 72-hour notice period to start is a reasonable “degree of certainty that a security incident has occurred that has led to personal data being compromised.”  The controller “may not be regarded as being aware” during the “short period of investigation” immediately after being informed by third parties of the potential existence of a breach.  The revised Guidelines close the potential loophole—justifying any delayed notifications by arguing that an investigation was still ongoing—by underscoring the obligation of controllers to “implement all appropriate technical protection and organizational measures to establish immediately whether a breach has taken place and to inform promptly the supervisory authority….”  This obligation is imputed into Article 32 GDPR, which requires implementation of appropriate technical and organizational security measures, and captured in Recital 87, which highlights the causal relationship between the implementation of such measures and the promptness with which a controller should provide notice.  Consequently, burying one’s head in the sand to avoid becoming aware and starting the 72-hour clock is not going to be a smart strategy and may even constitute a separate GDPR violation.
  • Seek and respect the guidance of Supervisory Authority and Law Enforcement: Under the GDPR, the competent supervisory authority plays a key role in dealing with data breaches in the EU.  The October Guidelines already pointed out that “controllers might […] wish to contact and consult the supervisory authority not only to seek advice about informing data subjects about a breach but also on the appropriate messages to be sent to, and the most appropriate way to contact, individuals.”  The revised version further highlights the expected cooperation with supervisory authorities in mediating public and individual data subjects’ interests.  Recital 88 recalls the obligation to “take into account the legitimate interests of law-enforcement….”  This means that a law-enforcement interest could preempt a controller’s Article 34 GDPR obligation vis-à-vis individual data subjects in the event of a breach and justify delay in notification.
  • Processor’s notification obligation better defined: The October Guidelines already placed the bulk of the notification burden on controllers, who “retain overall responsibility for the protection of personal data.”  Processors simply have to notify the controller without undue delay once they become aware of the personal data breach.  The October Guidelines were unclear on the extent of such obligation and whether processors had to undertake investigations to ascertain the nature of the breach.  The revised Guidelines remedy this ambiguity: “[T]he processor does not need to first assess the likelihood of risk arising from a breach before notifying the controller; it is the controller that must make this assessment on becoming aware of the breach.”  Narrowing the processor’s obligation to just “establish[ing] whether a breach has occurred and then notify[ing] the controller,” may reduce situations where notification gets delayed due to duplicative investigative efforts, when resources could be better leveraged for remediation.  Relatedly, the revised Guidelines also encourage, in a more prominent fashion, that the controller and processor address their respective notification obligations by contract, to better align expectations from the outset, consistent with Articles 28(3)(f) and 33(2) GDPR.

The Davis Polk Cyber Breach Portal, available now by subscription, has many resources to help clients assess breach notification obligations and cybersecurity risks. The Portal covers industry-specific U.S. reporting obligations and international obligations, including the GDPR. The Portal is very frequently updated with any amendments and new features. If you have questions about the Portal, please contact cyberportal@davispolk.com.

Also, please join us for a Webcast discussing the GDPR and its impact on M&A transactions on May 24, 2018 at 12:00 pm ET.