Security Experts:

World War B: Surviving a Global Business Breach Event

Securit Breach Response

Keeping up with Data Breach Laws and How They Interact on a Global Basis is Complicated

Data breaches are not designed for your convenience. They don’t stick to one state or one regulator. They don’t even stick to one country. There are HR files from the US, customer files from Canada, and marketing campaigns full of personally identifiable information from the UK. One breach can trigger laws around the globe, each with different responses.

But let’s not overwhelm ourselves. Instead, we’ll take a high level view with this example. You’re a California corporation with personnel files for your employees in California, Alberta, Canada, and the UK. The summer intern in the HR department downloads all personnel files and trades them to her roommate’s boyfriend, who is on probation of identity theft, for a $100 Urban Outfitters card. Then, your employees start getting credit card bills for cards they’ve never opened. Question is: what laws do you have to comply with when notifying your employees and the authorities?

The first thing you have to do after calling the cops on the intern is to figure out what went out the door and comparing the nature of that information to the definitions of personal information for the different jurisdictions. Personal information is defined very differently within the US and outside the US. The US is quite prescriptive, almost mathematical. In California, personal information is a person’s name plus SSN or driver’s license number, financial number, or medical information. Simple. But in Alberta, Canada, personal information is information about an identifiable individual. What the heck is that? And in the UK, personal information is any information concerning the personal or material circumstances of an identified or identifiable natural person. That one is far from being mathematical as well. Canada and the EU have a lower bar when defining personal information.

So, as you’re sifting through your forensics you’ve determined that all the personnel files contained the employees’ full name and their SSN or state ID numbers. Looks like you’ve met the definition of personal information for all the jurisdictions. Next, we decide which laws apply.

In our second step of determining applicable law, we see that the US and Canada apply their laws very differently than countries in the EU. The US and Canada look to where folks live and abide by those jurisdictions. So if you have employees in California, Texas and Massachusetts and lose their info, then you have to look to the laws of all three states to comply. The EU doesn’t look at citizenship of the people whose info you lost. Instead, the EU generally looks at where the controller of information is based and where the information is being processed. So if you are a UK company processing personal information in UK and you lose that info, you then have to notify everyone whose information went out the door. It doesn’t matter where they live.

Going back to the HR intern, the information was stolen in California. UK law does not apply because your company isn’t based in the UK and wasn’t processing the information there. An exception to this rule is if you submitted to the jurisdiction of the UK because you process information in the UK and are Safe Harbor certified or signed model contract language, then you would be on the hook in the UK and would have to notify the authorities there. So you must send letters to all your US and Alberta employees by law and will probably send them to folks in the UK as well, not because you have to but because it’s the righteous thing to do.

Our third step is to perform a risk assessment. What is the likelihood that the data loss will harm the data subjects? Gauging by the number of nefarious credit cards, harm appears likely. But what if there was no likelihood of harm? That could be the case if the cops nabbed the intern before she had the chance to transfer the files to the identity thief. Jurisdictions look at the likelihood of harm differently. Alberta and UK say you only have to notify if harm to the data subject is foreseeable. California doesn’t care and has you notify regardless.

So in the end, you’d notify personnel and authorities in California and Canada by law and your folks in the UK just because you’re a nice person. Keeping up with all these laws and figuring our how they interact on a global basis is more complicated than Taylor Swift’s dating life. Tools exist to walk you through data breaches and all the steps above, and they cut breach response time and effort dramatically. So be ready for the global breach and beware interns with a penchant for Urban Outfitters.

view counter
Gant Redmon, Esq., is General Counsel & Vice President of Business Development at Co3 Systems. Gant has practiced law for nineteen years; fifteen of those years as in-house counsel for security software companies. Prior to Co3, Gant was General Counsel of Arbor Networks. In 1997, he was appointed membership on the President Clinton’s Export Counsel Subcommittee on Encryption. He holds a Juris Doctorate degree from Wake Forest University School of Law and a BA from the University of Virginia, and is admitted to practice law in Virginia and Massachusetts. Gant also holds the CIPP/US certification.