State laws in the United States regulate breach notification obligations to U.S. residents—potentially including employees—whose data get compromised in a breach. Federal bills have been proposing federal legislation that might someday preempt this area, but passage of any such legislation is unlikely in the near term. A September 2011 article in Business Insurance determined that there are “no immediate prospects for a federal law.” (Judy Greenwald, Federal Data Breach Notification Law Could Simplify Process, available at www.businessinsurance.com/article/20110918/ NEWS07/309189980. An earlier article by Gina Stevens for the Congressional Research Service discussed certain notification obligations in specific circumstances usually not relating to employee data and is available at http://opencrs.com/document/RL34120/.)
Generally speaking, personal data protection and privacy in the United States are far less comprehensively regulated than in jurisdictions such as the European Union, Australia, Canada, Hong Kong, Japan, and the growing club of Latin American countries with omnibus data laws—Argentina, Chile, Mexico, and Uruguay. But in our particular context here, data breach notification, U.S. states impose some of the world’s most specific and tough obligations. Back in 2003, California passed a groundbreaking data security-breach-notification law and now 46 states have followed, imposing laws that require notice to data breach victims in certain contexts. Many of these laws offer a private right of action. (A table listing these 46 laws appears at the website of the National Conference of State Legislatures, www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx.)
These U.S. state breach notification laws generally require database owners to notify affected “customers” and other data subjects, possibly including employees, of a breach. And some of these laws require notice to state attorneys general or credit bureaus. The breach notification laws of states may be aimed primarily at remedying breaches of consumer data. However, depending on the situation, they can reach employee data breaches, as well—particularly breaches implicating employee credit checks, payroll, benefits, medical information, social security data, and direct deposit information.
When a U.S.-based multinational employer suffers an employment data breach on U.S. soil, most of the affected employees often prove to be U.S. residents. In those cases, complying with state data breach notification drives global breach notification strategy. Word gets around; human nature being what it is, as soon as an employer notifies its U.S. employees consistent with any applicable state breach notification laws, the Americans might be expected to mention the breach to colleagues overseas. For several reasons, a widely followed practice is for a multinational to notify all its affected employees, worldwide, of a breach of their human resources data—even including employees who work outside the United States and in jurisdictions that may not compel notice. (Timing can then become an issue; breach notices may need to be expedited or delayed in some jurisdictions.)
A data breach that implicates employee victims who work outside the United States broadens the employer’s breach-notification-obligation analysis to the domestic mandates of all affected overseas employees’ home jurisdictions. The European Union and its affiliated European Economic Area impose the world’s toughest data protection laws. This is largely in connection with the landmark EU Data Protection Directive (95/46/EC (Oct. 24, 1995)) and the Member State laws transposed under it. Because of the prominence of these EU-mandated standards, during discussion of transnational data protections, the focus often turns quickly to Europe.
But outside the telecommunications sector, current European data law is surprisingly sketchy as to breach-notification mandates. Europe might boast the world’s toughest general data-protection regime, but European jurisdictions cannot claim leadership in imposing unambiguous breach-notification mandates. The European Network and Information Security Agency (ENISA) noted as much in a January 2011 report, Data Breach Notifications in the EU (“ENISA Report”). The ENISA Report was repetitive in its emphasis, asserting both that “[d]ata breach notifications are not yet mandatory in most countries in the European Union” (id. at 11), and that “[i]t should be noted that data breach notifications are not yet mandatory in most EU countries” (id. at 12). (The ENISA Report, which also contains a summary of the current (usually nonmandatory) EU data-breach-notification rules, is available at www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/dbn.)
The substantial lack of mandatory EU breach notification rules will not last forever. A draft EU regulation issued in January 2012, meant to replace the current EU Data Protection Directive, proposes in its Articles 31 and 32 to impose new, strict, and sweeping breach-notification mandates requiring data controllers to notify government data protection authorities of a breach within 24 hours—and to notify all implicated data subjects likely to be “adversely affected” within 24 hours, too.
The proposed regulation, COM (2012) 11 final (Jan. 25, 2012), is available at http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf. Among other things, the proposed regulation explains that “[a] breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation.”
But this proposal is controversial and not yet law. While some EU regulation appears certain to replace the current EU Data Protection Directive in coming years, the January 2012 proposal merely offers a first draft. The final regulation is likely to differ.
The reason current European data law might lack clear data-breach mandates is because Europe’s general data-notification rules under the original EU Data Protection Directive grew up around the idea of forcing “data controllers” to tell government Data Protection Authorities (“DPAs”) and individual “data subjects,” in the first instance, about their data processing systems. Current European data laws implementing (“transposing”) the EU Data Directive focus so intently on requiring these notifications about systems in the first place that perhaps these laws neglect breaches that might occur later. In a sense, Europe’s current data-notice mandates are preventive—they try to “close the barn door before the cow gets out.” Meanwhile, the U.S. states focus on post-crisis breach notification, the steps to take “after the cow gets out.” But the future European regime under the pending data regulation will change this.
None of this is to say that a European employee victim of a data breach, today, has no arguments for notification under current law. A handful of individual European states impose their own specific breach-notification obligations. For example, a German law from 2009 mandates breach notification to local German DPAs and data subjects. (German Federal Data Protection Act (BDSG) § 42a, as amended Sept. 2009.) Laws in Spain and Ireland also impose certain notice obligations. (Spain Royal Decree 1720/2007; Irish Data Protection Commissioner Code of Practice, Guidance on Data Breach Measures (available at www.dataprotection.ie/docs/7/7/10_-_Data_Security_Breach_Code_of_Practice/1082.htm).)
Obligations might also arise in European jurisdictions that do not yet impose clear, statutory breach-notification mandates. In some of these jurisdictions, DPAs and affected data subjects might argue that broad general rules somehow require data controllers to notify DPAs and data subjects about data breaches. One argument is that a data breach is a per se violation of general data law that, by law, must be reported. These arguments seem strongest in Austria (cf. Austrian data law Article 24(2)(a)), the Czech Republic (cf. Czech data law Article 40(1), (2)), Denmark (cf. Danish data law Title II, Chapter 4, § 5(1)), Slovakia (cf. Slovak data law § 19(4)), and Sweden (cf. Swedish data law § 38).
For the United Kingdom in this connection, the ENISA Report recounts that “[i]n 2008, the United Kingdom’s Information Commissioner’s Office (ICO) issued a guidance note on notification of data security breaches to the ICO. The ICO advised that it should be notified of serious breaches, although there was no legal obligation.” (The ICO guidance note itself is available at www.ico.gov.uk/for_organisations/guidance_index/data_protection_and_privacy_and_electronic_communications.aspx.)
Another argument, maybe applicable across Europe, is that unless the data controller had previously disclosed “breaches” as one form of its data processing, then general data processing law may obligate the controller to notify DPAs and data subjects after an unanticipated breach occurred—the breach being a new but as-yet-undisclosed form of data processing.
In researching and interpreting current breach notification requirements in Europe, focus on two prongs.
· First, ask whether the data controller must notify DPAs. At most only a handful of European states, including Germany and Norway, flatly require breach notification to DPAs—but surely someone in every European state will argue that DPA notification of a serious breach is “recommended” or “encouraged.”
· Second, ask whether the data controller must notify affected data subjects about the breach. Distinguish jurisdictions in which notice is mandated from those that merely “recommend” or “encourage” notice. This prong then splits into two halves: notice requirements to “direct data subjects,” such as employees, versus notice to “indirect data subjects,” such as employees’ e-mail correspondents. Where a multinational employer that suffers a breach of employee data decides, for human resources or business reasons, promptly to notify all affected staff worldwide, then the issue of whether current laws in Europe compel notice to European employees as direct data subjects can drop out, as a practical matter, because the employer complies anyway.
Breach-notification mandates aside, any publicized data breach in Europe not only brings bad publicity, it risks drawing close scrutiny from European DPAs and data subjects (data subjects have private rights of action). European states impose heavy penalties for widespread data-law violations, potentially applicable when sloppy data security allegedly caused the breach. DPAs and affected data subjects could always sue alleging a data breach resulted from illegally lax data security. Therefore, a multinational’s breach-notification strategy in Europe should always factor in the high stakes: no company wants its breach notification to become an invitation to sue for illegally lax data security.
Beyond the United States and Europe
Stepping outside the United States and Europe, breach notification follows a broadly similar analysis. First ask: Which jurisdictions’ laws control? In the employment context that will primarily be the laws of affected employees’ places of employment. Then ask: Do any applicable jurisdictions’ laws impose actual breach-notification obligations (as opposed to recommendations and suggestions)? Often they will not.
For example, according to the Australian Office of the Privacy Commissioner (now known as the Office of the Australian Information Commissioner), in its 2008 Guide to Handling Personal Information Security Breaches, Australia’s “Privacy Act does not expressly require . . . an organization to notify individuals if personal information is subject to a breach. . . . .” (The Commissioner’s Guide is available at www.privacy.gov.au/materials/types/guidelines/view/6478.) The Commissioner made this observation even though, as of March 2012, there were calls in Australia for breach-notification law. At least, this was reflected in a 2012 article by Tim Lohman, Call for Mandatory Data Notifications Renewed, available at www.csoonline.com.
Similarly, the newly enacted omnibus privacy laws in much of Latin America tend not to contain specific breach notification mandates. And, U.S. states aside, countries that do not impose broad omnibus data-protection laws are even less likely to require employee breach notification. A chart summarizing breach-notification laws around the world, as they were effective at the time, appears in a 2009 article by Alana Maurushat, Data Breach Notification Law Across the World from California to Australia, available at http://law.bepress.com/ unswwps/flrps09/art11/.
In a jurisdiction where local law does compel some actual breach notification, ask: What are the law’s precise obligations to notify government agencies and affected data subjects? When a multinational employer makes the business decision to notify all affected employees worldwide of a breach, the focus should shift to notification obligations to government authorities. Very few jurisdictions outside the United States and Europe require notifying government agencies about breaches of human resources (“HR”) data, but some might, and some HR data breaches might fall under breach-notification mandates for other types of data. Where laws do not compel notice to either government or affected data subjects, then consider what notice is “recommended” or “encouraged” as a good practice.
Legal Issues Beyond Breach-Notification Mandates
In many jurisdictions, whether any breach-notification mandates apply to a specific HR data-breach incident will depend on the facts because even where no data-breach notification law per se applies, some context-specific mandate could compel certain notifications in certain scenarios. That is, data breaches can sometimes implicate notification requirements from laws other than data laws, such as financial disclosure laws. Where an HR data breach somehow leaks regulated information about publicly traded securities (such as data about employee equity plans), securities laws might kick in. For example, Australia’s Corporations Act of 2001, available at www.austlii.edu.au/ au/legis/cth/consol_act/ca2001172/, mandates stringent notice to the Australian Securities and Investments Commission, and at least one lost laptop in the United Kingdom triggered a huge fine from the U.K. Financial Services Authority because the laptop contained financial data. Europe also imposes special breach-notification rules in the electronic communications and telecommunications sector (largely through the EU ePrivacy Directive, 2002/58/EC, as amended by EU Directive 2009/136/EC), and in some cases third-party contracts or a company’s own data policies might impose additional breach obligations and may trigger claims or penalties.
These scenarios, though, for the most part lie outside the HR data-breach context. And few employment laws, collective bargaining agreements, or laws requiring disclosures to labor agencies explicitly mandate HR data breach notification—although after a widely publicized data breach, employees, employee representatives, and labor agencies might argue the employer should have made certain notifications.
As such, whenever a data breach implicates employees’ personal data, strategic human resources and labor practices, along with legal compliance initiatives, become vital.