When determining whether affected individuals require notification following an incident involving personal information, one of the most important factors to evaluate is whether or not the applicable laws provide for a consideration of risk of harm to those affected individuals, and what the standard of harm entails.
However, depending on the law, harm standards can vary from a consideration of risk of identity theft or fraud to a broader consideration of the potential for discrimination or damage to an individual’s reputation.
Understanding the nuances in a law’s risk of harm standard (or lack thereof) is critical in developing a consistent breach notification and documentation program.
U.S. State Risk of Harm Standards
Risk of harm standards can vary from state to state, although breach notification laws in the United States typically focus on a risk of financial harm to affected individuals, such as identity theft or fraud. While not all states are as verbose in their descriptions, Ohio’s general breach notification law includes its risk of harm standard in its breach definition:
“Unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by an entity and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of Ohio.”
New Mexico’s law does not include risk of harm language in its breach definition, but does cite the consideration of harm in its section on notification of a security breach: “...notification to affected New Mexico residents is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”
For jurisdictions such as California that do not provide for a risk of harm standard, organizations should establish a consistent company policy approach that addresses notification following an incident that meets the definition of a breach, but is otherwise assessed to pose a low risk of harm to affected individuals.
Global Risk of Harm Standards
In other countries, if a general breach notification law provides for a risk of harm standard, it is typically much broader in scope than financial harm.
For example, the EU’s General Data Protection Regulation (GDPR) and related regulator guidance make it clear that financial harm is only one type of risk that must be considered. Risks to the rights and freedoms of affected individuals, such as risk of discrimination or damage to an individual’s reputation must also be considered in making notification decisions. The Article 29 Working Party, now replaced by the European Data Protection Board, published a particularly rich resource on personal data breach notification that details what factors to consider when determining whether notice to affected individuals is required following a breach of personal data. For example:
“A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals.”
Broadly speaking, risk of harm standards under non-U.S. breach notification laws are typically more in line with the GDPR’s standard of harm than the U.S. state standard. In its Advisory Guidelines on Key Concepts in the Personal Data Protection Act, Singapore’s Personal Data Protection Commission specifies that significant harm could include physical, psychological, emotional, economic and financial harm, as well as harm to reputation and other forms of harm that a reasonable person would identify as a possible outcome of a data breach.
Supporting this broader risk of harm standard under non-U.S. laws are correspondingly broad definitions of personal or sensitive information, which can include an individual’s political affiliations, sexual orientation, or religious beliefs—data not currently specified as regulated under U.S. state law. Under Singapore’s Personal Data Protection Act, even a compromise of certain prescribed data, independent of other risk factors, could be deemed to cause significant harm to affected individuals.
Risk-Reducing Measures for Organizations
When developing a consistent incident response and breach notification program, best practices to consider include:
- Know if a risk of harm standard is provided for in the applicable law. If so, what is the scope of the risk of harm standard?
- Conduct a multi-factor risk assessment. This should include facts relating to any data protection measures that were in place, the intent behind the compromise or potential compromise, who received or potentially received that data, and what steps, if any, were taken to reduce the risk of adverse effects to affected individuals.
- Have a consistent notification policy approach. For incidents that occur with some regularity, such as misdirected mail that contains the same set of personal data, choosing to notify individuals in some cases and not in others can be a red flag to regulators.
- Consider whether there are obligations related to a determination of unlikely harm. Is written determination required to be kept for a specified period of time? Can an organization make the determination solely on its own or must it be done in collaboration with other entities, such as law enforcement?