Rehana C Harasgama, Jan Kleiner and Viviane
Bär & Karrer Ltd
With every passing year, the world is becoming more digitalised. The amount of data that is being processed is increasing exponentially and with it the risk of data (as a critical asset) being lost, unlawfully accessed or destroyed and thereby endangering the value of an affected company's value. In 2021, in the United States alone, data breaches increased by about 17 per cent by the third quarter compared to the whole of 2020.2 Moreover, Cybersecurity Ventures predicts that worldwide annual costs for cybercrime will increase to US$10.5 trillion annually by 2025, compared to US$3 trillion in 2015, which may also lower the value of affected companies' data assets.3 Both LinkedIn and Facebook were subject to data breaches, affecting about 700 million users and 553 million users, respectively.4 In the European Union, supervisory authorities issued fines ranging from a mere €285 to €475,000 in 2021, all essentially triggered by an 'insufficient fulfilment of data breach notification duties' and increasing companies' costs in respective of their data.5
To prevent data breaches (and therefore protect data as a critical asset), a minimal standard of data security mechanisms must be implemented according to applicable data protection laws. If these measures fail or a breach occurs despite such measures, the affected organisation has to act in a quick and organised way to avert or at least reduce possible damage. This article provides guidance as to how organisations can react to data breaches, so as to meet applicable data protection law requirements and counteract any damage caused to their data by such breaches.6 Against this background, this article also compares several jurisdictions to get a sense of global developments with regard to data breaches.
To provide a broad overview and identify similarities regarding the concept of data breaches next to that stated in the General Data Protection Regulation (GDPR) in the European Union,7 the authors have chosen the (current or soon to be revised) data protection laws of Switzerland, the United Kingdom, Canada, Brazil, China, Australia, South Africa and Japan, as these countries either provide an adequate level of data protection according to the European Commission8 or have recently introduced a new data protection regime providing similar data breach notification duties as under the GDPR.
This article is divided into three main parts derived from our comparative analysis: first, we describe what constitutes a 'data breach', then we provide an overview of the potential risks a data breach can cause and finally we describe what an appropriate data breach response plan should look like.
What a data breach is
As a general rule, all analysed jurisdictions impose on persons processing or handling personal data a duty to protect that data appropriately from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, while taking into consideration potential risks to the processed data.9 In other words, companies (or persons) processing personal data are required to ensure the integrity, confidentiality and availability of the data. Although this duty mainly stems from the protection of the individuals whose data is affected, implementing such measures are as important for business continuity and for a company's reputation.
If the implemented data security measures fail or are breached, this can lead to what is known as a data breach. When comparing data protection laws of the countries stated above, there appear to be key similarities regarding the definition of a data breach. In Article 4(12) of the UK GDPR, a (personal) data breach is defined as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'.10 Almost identical in wording, this definition is also used under the term 'security incident' in Brazil's General Data Protection Law (LGPD).11 Similarly, the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada sets forth the concept of breach of security safeguards, which is defined as the 'loss of, unauthorized access to or unauthorized disclosure of personal information' resulting from a breach of or failure to establish adequate security safeguards.12 Australia also linked its definition in the Privacy Act 1988 to 'unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity'.13 Next to the unauthorised access, South Africa's data protection law (Protection of Personal Information Act (POPIA)) additionally includes the acquisition of personal information.14 Slightly different but following the same idea, under China's Personal Information Protection Law (PIPL), a data breach is described as 'a personal information leak, distortion or loss' that might have occurred.15 Moreover, several countries have revised or amended their data protection laws and will officially implement data breach reporting duties, for example, as foreseen in the revised Federal Act on Data Protection (revFADP)16 of Switzerland, which defines a data breach almost identically to the definition under the GDPR and the UK GDPR, or the amendment to the Act on the Protection of Personal Information (APPI)17 in Japan.
1 Rehana C Harasgama is a senior associate, Jan Kleiner is a partner and Viviane Berger is a junior associate at Bär & Karrer Ltd.
2 Maria Henriquez, 'The top data breaches of 2021', at https://www.securitymagazine.com/ articles/96667-the-top-data-breaches-of-2021 (last accessed January 2022); ID Agent, '2021 Data Breaches Have Already Exceeded All of 2020', at https://www.idagent.com/blog/2021-data -breaches-have-already-exceeded-all-of-2020/ (last accessed Jan. 2022).
3 Steve Morgan, 2022 Cybersecurity Almanac: 100 Facts, Figures, Predictions and Statistics, at https://cybersecurityventures.com/cybersecurity-almanac-2022/ (last accessed Jan. 2022).
4 Maria Henriquez, op. cit. note 2, above.
5 GDPR Enforcement Tracker (tracked by CMS, law tax future), at https://www.enforcementtracker.com/ (last accessed Jan. 2022).
6 The proposals are based on data protection laws only. It must be noted that other, sector-specific legislation may provide for additional requirements (e.g., notification duties) in the event of security incidents.
7 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (GDPR)), at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 (last accessed Jan. 2022). The GDPR is retained in UK domestic law as the UK GDPR. (Note the use of '(UK) GDPR' where reference in remaining footnotes is to both Regulations.)
8 An 'adequacy decision' means a decision of the European Commission pursuant to GDPR, Art. 45 on whether a country outside the European Union (EU) offers an adequate level of data protection. If this is the case, personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to these third countries without any further safeguards being necessary; so far the following jurisdictions reviewed have been recognised as adequate by the European Commission: Canada, United Kingdom, Japan and Switzerland. Not recognised but nevertheless examined in this article are Australia, Brazil, China and South Africa. European Commission, Adequacy decisions, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension -data-protection/adequacy-decisions_en (last accessed Jan. 2022).
9 See (UK) GDPR, art. 32(2); FADP, art. 7; respectively; revFADP, art. 8; PIPL, art. 9; PIPEDA, clause 4.7 of schedule 1; LGPD, art. 46; Privacy Act 1988, clause 11.1 of pt. 4 of schedule 1; POPIA, sec. 19; and APPI, art. 20.
10 See United Kingdom General Data Protection Regulation, https://www.legislation.gov.uk/ eur/2016/679/contents (last accessed Jan. 2022).
11 Brazilian General Data Protection Law (LGPD) (as amended by Law No. 13,853/2019), art. 48 in conjunction with art. 6 VII, translated by the International Association of Privacy Professionals (IAPP), see https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english -translation/ (last accessed Jan. 2022).
12 Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, sec. 10.1(1), at https://laws-lois.justice.gc.ca/ENG/ACTS/P-8.6/index.html (last accessed Jan. 2022).
13 Privacy Act 1988 (Cth), pt. IIIC div. 26WA, at https://www.legislation.gov.au/Details/C2021C00452 (last accessed Jan. 2022).
14 Protection of Personal Information Act No. 4 of 2013 (POPIA), sec. 22, at https://www.gov.za/ sites/default/files/gcis_document/201409/3706726-11act4of2013protectionofpersonal inforcorrect.pdf (last accessed Jan. 2022).
15 Personal Information Protection Law of the People's Republic of China (PIPL), art. 57, at https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the -peoples-republic-of-china-effective-nov-1-2021/ (last accessed January 2022).
16 Federal Act on Data Protection of 25 September 2020 (revFADP), art. 24, BBl 2020 7639, 7641, at https://www.fedlex.admin.ch/eli/fga/2020/1998/de (last accessed January 2022).
17 Amended Act on the Protection of Personal Information (APPI), art. 22-2, at https://www.ppc.go.jp/files/pdf/APPI_english.pdf (last accessed January 2022).
To read the full article click here
Originally Published by Law Business Research Ltd, April 2022
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.