In recent weeks, regulators in California and Illinois have issued guidance on responding to data security breaches, while UK and California authorities released online forms for organizations to use when providing notification of a breach to regulators.
In December 2011, the UK Information Commissioner’s Office (“ICO”) released a new breach notification form, reinforcing its expectation that organizations provide notification whether or not such notification is legally required. Sector-specific breach notification requirements were introduced in the UK by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and since May 2011, public electronic communication service providers have been required to notify the ICO, and in some cases affected individuals, in the event of a data security breach. All other organizations are strongly encouraged to notify the ICO of serious security breaches, and the fact that an incident was reported voluntarily is something the ICO takes into consideration when determining the appropriate enforcement action.
Breaches may be reported to the ICO in writing, by email or postal mail, or by using the new breach notification form, which sets forth specific questions regarding the breach and is available online. The completed form must be submitted via email. Although use of the form is not obligatory, its content gives organizations the clearest indication yet of the type of information the ICO expects to receive regarding a breach.
As we reported in September 2011, California recently amended its breach notification law, adding new notification requirements that came into effect on January 1, 2012. Further to these changes, the California Attorney General introduced an electronic form to be filled out and submitted online in the event of a security breach affecting more than 500 California residents. The California Office of Privacy Protection also posted an updated version of its “Recommended Practices on Notice of Security Breach,” which provides guidance and best practices for businesses with respect to “managing personal information in ways that promote and protect individual privacy interests.”
Both the UK and California breach notification forms ask businesses to provide certain details of the breach, including the date of the breach, the date of notice provided to affected individuals, and the type of personal information involved. Unlike the non-binding UK initiative, California law now requires businesses to submit the electronic reporting form and upload a sample copy of the notification letter being sent to affected individuals when a breach affects more than 500 California residents. The California breach form includes questions about other law enforcement agencies that have been notified of the breach, and the ICO’s form asks for information regarding other regulatory bodies that have been informed of the incident, such as The Office of Fair Trading and the Financial Services Authority.
Finally, on January 27, 2012, Illinois Attorney General Lisa Madigan released Information Security and Security Breach Notification Guidance, which provides advice on preventing, preparing for, and responding to data security breaches. The guidance encourages businesses to establish comprehensive information security programs and includes practical considerations for notification in the event of a breach. Illinois recently amended its breach notification law to require that notification letters to affected individuals include certain content, such as the toll-free numbers and addresses of the FTC and the major credit reporting agencies and a statement that individuals can obtain information about fraud alerts and security freezes from those sources.