California has a way of inventing things that turn out to be popular around the world (hey, not just Google). California passed the first so-called security breach notification law, in 2002. To date, 39 U.S. states have enacted laws that require notice if some form of personal information is compromised in a data security breach.
Since then, the trend has gone global. In August, the Office of the Privacy Commissioner of Canada issued guidelines on how to handle a security breach, which are just that – guidelines – but provide sensible recommendations for the handling of security breaches, including the notification to affected individuals where a breach creates a risk of harm. The logic behind the Canadian approach is that prompt notification to individuals in these cases can help them mitigate the damage by taking steps to protect themselves. New Zealand has followed a similar line by issuing guidelines on how to handle privacy breaches, which also focus on the role of notification to avoid or mitigate harm to individuals.
This trend is about to come to Europe too. The European data protection directives do not have any express provisions requiring companies that have suffered some sort of security breach to notify the individuals affected. The traditional thinking is that Europe does not need such a measure because there is already a well known obligation that calls for the adoption of appropriate technical and organisational measures to protect personal data against security breaches.
However, a European Commission consultation document of 2006 hinted at the prospect of security breaches notification obligations for providers of electronic communications networks and services, on the basis that network operators and ISPs, as the gatekeepers for users’ access to the online world, carry a special responsibility in this regard. This was followed by recommendations made by the Article 29 Working Party to extend those obligations to "data brokers," banks and other online service providers. The Working Party went on to say that for important breaches, all customers of the communications provider – not just those directly affected – should be informed.
The European Commission is now expected to include a formal proposal introducing mandatory security breach notifications or otherwise, into its review of the EU’s e-communications regulatory framework. Bearing in mind the experiences in other parts of the world and the latest thinking in jurisdictions like Canada and New Zealand, the risk of harm to the individual should be a determining factor in triggering notification obligations. Otherwise, the real risk is to trivialise notification obligations to such an extent that they become meaningless and ineffective in terms of data protection. In fact, the potential damage to consumers of a blanket notification obligation could be twofold: on the one hand, it can create unjustified anxieties and on the other hand, it may result in a lack of proper attention to more serious incidents.
While there are 39 states that have some law, nearly all the states are tinkering with security breach legislation every year.Like so much that goes through the state houses, this is constantly a moving target.
Peter, many EU states have either codified criminal code or common law to deal with such infractions. As you'll possibly be aware (or not) criminal law is not govered in the main be the central EU institutions, period. So perhaps you could go off and study the EU 27 member state and tell us which don't have security breach legislation? I think you'll find that most of them do.As a side note, most member states additionally have 'shields' from interference in criminal matters in relation to EU institutions, unless they fall into pillar 1. Even still certain countries are opting out.Ronan
Peter, thanks for an interesting piece. FYI an influential UK legislative body has called for security breach legislation in the UK as a priority. An UK minister also admitted that this is "enticing" conceptually. However the complexities of establishing the correct notification triggers and appropriately balanced notification regime are likely to delay this for a while. As for linkage with EU harmonisation, the report calls for UK not to wait for an EU-led intiative.See chapter 5http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i.pdf
The comments on this blog belong only to the person who posted them. We do, however, reserve the right to remove off-topic or inappropriate comments.