Thank You!

Join our community for free to access exclusive whitepapers, reports, and regulatory information.

By signing up you agree to OneTrust DataGuidance's Terms and Conditions and Privacy Policy.

Already have an account? Log in

OneTrust DataGuidance's Privacy 101 series delivers valuable, fundamental knowledge on some of the most notable themes, concepts, and terminology in privacy and data protection. The series offers definitions and explanations of core compliance areas such as Accountability, Data Protection Impact Assessments, and Data Transfers to help you build a global understanding of privacy in an easily digestible format.

This video gives a brief overview of data breach notification including what a data breach notification is, what should be included, and what laws are in place for data breach notification. But when looking into this topic it is a good idea to first understand what a data breach is. Simply put, a data breach commonly refers to an incident where personal data has been accessed by an unauthorized party and can vary in size and severity.

What is a Data Breach Notification?

When an information security incident occurs, businesses must determine whether the incident represents a data breach based on the severity of the incident, the number of data subjects involved, and the categories of data concerned. When it is determined that a data breach has occurred businesses may have a legal requirement to make a report, notify supervisory authorities, inform the involved data subjects, or post a breach notice in an easily accessible location. This legal requirement may have different thresholds depending on the jurisdiction that the business operates in or where the breach occurred.

Data Breach Notification Requirements

Different laws have different requirements. And this is no different when it comes to data breach notification requirements which can vary significantly in terms of when and who to notify. In many instances, there will be a specified time limit for when a notification should be sent. For example, the EU General Data Protection Regulation (GDPR) requires businesses to notify the relevant supervisory authority within 72 hours of becoming aware of the data breach.

There might also be obligatory information that businesses are required to include in the breach notification. The UK Information Commissioner’s Office (ICO) notes that a breach notification must contain information about the Data Protection Officer (DPO) including contact information, the likely consequences of the breach, and a description of the remediation action taken or that will be taken in due course. In some jurisdictions, such as Thailand, businesses are required to maintain this information in a record of breach notification activity to demonstrate accountability in the event of an audit.

When making a data breach notification, many supervisory authorities have created specific forms or online portals through which organizations can provide breach notifications. However, in some jurisdictions, the method for making a data breach notification to a regulator is not specified.

Data Breach Notification Laws

Data breach notification requirements are found under many comprehensive privacy and data protection laws across the world. Some examples include:

• China - The Data Security Law (DSL) and Personal Information Protection Law (PIPL) both contain breach notification requirements that include immediate notification of the DPO and the Cyberspace Administration of China (CAC)
• Japan – The Act on the Protection of Personal Information (APPI) outlines explicit thresholds for when the Personal Information Protection Commission (PPC) and the individuals affected should be notified of a data breach
• New Zealand – The Privacy Act 2020 introduced mandatory breach reporting requirements for organizations for breaches that are likely to cause serious harm or pose a risk of causing serious harm

However, while data privacy and data protection laws contain provisions for data breach notifications, there are specific data breach notification laws in place across the world. Most notably in the US, where all 50 states have some form of breach notification legislation in place. In California for example, organizations are required to notify the California Attorney General (AG) and affected individuals of any unauthorized acquisition of the unencrypted computerized personal information of California residents. Examples of personally identifiable information include:

• Social security number
• Driver's license number or California identification card number
• Account number or credit or debit card number, in combination with any required security code or password
• Unique biometric data

There are some exemptions to data breach requirements in California. Notably, a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to have complied with the security breach notification requirements outlined in the California Civil Code if it has complied completely with the breach notification requirements outlined by the Health Information Technology for Economic and Clinical Health (HITECH).

Watch the video above to learn more about data breach notification or take a closer look at related data breach Guidance Notes from a range of jurisdictions across the world.