CYBERSECURITY SERIES: RECEIVING A BREACH NOTIFICATION FROM A SUPPLIER - COMPLYING WITH NOTIFICATION OBLIGATIONS
So you’ve received a breach notification from a supplier and have limited information about what’s happened,. You have limited time to determine whether you need to notify regulators / affected organisations and individuals and make those notifications. Your communications team might be telling you to begin talking to your customers as soon as you can, your directors might be hoping to wait for more details before they make a decision, your IT team might be telling you that they can’t do anything to help, because all their incident response planning related to breaches of the system they can access.
Sometimes, irrespective of how little information a business has received about a breach from its supplier, it will have to notify various third parties of the breach if legally or contractually required. These third parties might include:
regulators such as the ICO, data protection authorities in other EU countries, sector/industry regulators
individuals affected by the data breach such as your individual customers and business contacts, users of your site/platform/electronic communications service, your staff
organisations affected by the data breach such as your business customers, partners, group companies
law enforcement authorities
bank or credit card companies
Breach notifications might be required under various laws, with businesses in certain sectors potentially having to make notifications under several different regimes.
Under the GDPR, any organisation that becomes aware of a breach involving personal data has to:
notify the relevant data protection regulator (such as the ICO) without undue delay and where feasible within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals (Art 33)
notify the individuals whose personal data was breached (the ‘data subjects’) without undue delay if the breach is likely to result in a high risk to them, unless certain conditions are met (Art 34)
If the breached personal data involves data that the organisation processes as a processor on behalf of other organisations (e.g. business customers), it will have to notify all such organisations (the ‘controllers’) without undue delay (Art 33(1)) – so that they can comply with their own breach notification obligations as controllers under the GDPR.
Under the Network and Information Systems Regulations 2018, all ‘operators of an essential service’ have to notify the relevant NIS regulator about any incident which has a significant impact on the continuity of the essential service that it provides, without undue delay and within 72 hours of becoming aware of it (Reg 11). (The relevant NIS regulator is sector-dependent and set out in the NIS Regulations.)
Under the Privacy & Electronic Communications Regulations 2003, providers of public electronic communications services have to notify the ICO of incidents affecting the availability, integrity or confidentiality of personal data within 24 hours of detecting a breach. If the breach is likely to adversely affect the personal data or privacy of subscribers or users, the service provider must also notify that breach to the subscribers or users concerned without undue delay.
Under the Electronic Identification and Trust Services for Electronic Transactions Regulation 2016, UK trust service providers have to report any breach of security or loss of integrity that has a significant impact on the trust service or on the personal data maintained within it to the ICO within 24 hours.
Certain sectors such as financial services and healthcare may have additional breach reporting obligations under sector-specific regulations.
If the data breach involved a criminal act, the police and/or other law enforcement authorities would need to be informed.
Breach notifications may also be required under contracts your business has with various third parties.
Contracts with business customers often contain enhanced breach notification obligations, such as 24-hour reporting deadlines, reporting suspected as well as confirmed breaches and breaches affecting your or your suppliers’ systems, even if the customer’s data hasn’t been breached.
Insurers may require that they be notified of a data breach within a given timeframe if they are insuring against this risk, or that law enforcement authorities are notified of any crime involved in the breach.
ABOUT OUR CYBERSECURITY SERIES
Clayden Law has teamed up with technical expert, Emma Osborn. and over the next few months we will provide some back-to-basics analysis of the technical, legal and data protection issues surrounding cybersecurity, aimed at organisations’ non-technical decision-makers. Together, we’ll be highlighting key cybersecurity and data privacy fundamentals and looking at the interplay between law and practice in this area. For more information, click here.
Please be aware that these notes have been compiled for general guidance only and should not be considered as specific legal or technical advice.
Piers Clayden, firstname.lastname@example.org
Solicitor & Director, ClaydenLaw
© ClaydenLaw 2018