Data Breach Settlement
A data breach is the disclosure of specially protected information in an unsecured environment, either intentionally or unintentionally. It is also known by other terms in English such as data compromise, unintentional information disclosure, data leak and also data spill.
This type of incident ranges from a concerted attack by black hats (hackers) supported by organized crime or by national governments, to the irresponsible or careless disposal of computers, tablets, mobiles, etc. or data storage devices.
Personal Data Breach in the US
While the United States, unlike the European Union, does not have national regulations – except in specific sectors – on the protection of personal data, on the other hand all the American States, some for many years already years, as well as the District of Columbia, have regulations regarding security breaches.
A number of requirements are common to all states, others vary from state to state.
Requirements common to state laws in terms of security breaches:
– The obligation to notify residents of the affected State within a reasonable time;
– The obligation to notify certain bodies, and in particular the State Attorney General and/or the consumer protection agency in certain circumstances;
– Exceptions to the notification obligation when the breach was committed in good faith by an employee, the data was encrypted, and there is a low risk of damage;
– Specific requirements regarding the content of the notification; and
– Civil penalties imposed by the Attorney General of the State.
The majority of laws define a minimum threshold of risk of harm before notification obligations are triggered. The specific legislative language may vary: the risk must be “substantial” or “material”, depending on the case. Some laws require companies to consult with law enforcement or notify the Attorney General to determine if notification is truly necessary where there is a limited risk of harm.
Personal Data Breach in Europe
Regulation (EC) No 1725/2018 establishes an obligation for all institutions and bodies of the European Union to report certain types of personal data breaches to the European Data Protection Supervisor (EDPS). They must do so within 72 hours of becoming aware of the violation, whenever possible.
If the violation is likely to lead to a high risk of infringing the rights and freedoms of natural persons, they must also inform these persons as soon as possible. All EU institutions and bodies should ensure that they have procedures in place to detect a breach, investigate it, take the necessary corrective action and report on it. They must keep a record of any personal data breach, whether or not they are required to do so.
A data breach occurs when the data your business/organization is responsible for suffers a security incident that results in a breach of confidentiality, availability, or integrity.
The EDPS manages the collection, recording, organization and storage of information, retrieving it for consultation, sending it or making it available to others, as well as blocking, deleting or destroying data.
EU institutions and bodies are not allowed to process personal data revealing racial or ethnic origin , political opinions, philosophical or religious beliefs or trade union membership , except in specific circumstances. Neither can data about sexual or health life be processed, unless it is necessary for health reasons.
The organization must notify the DPA (Data Processing Agreement) and the data subjects
The data of employees of a textile company has been leaked. This data included home addresses, household composition, monthly salary, and medical expense claims for each employee. In this case, the textile company must inform the supervisory authority of this violation. Since this is sensitive personal data, such as health-related data, the company must also inform its employees.
A hospital employee decides to copy patient information onto a CD and publish it online. The hospital learns a few days later. As soon as the hospital discovers it, it has 72 hours to inform the supervisory authority and, since the personal information contains sensitive patient information (cancer patient, pregnant patient, etc.), he must also inform them. In this case, it is doubtful whether the hospital has implemented the appropriate technical and organizational protective measures; if it had done so (for example by encrypting the data), the risk would not have been likely to materialize and the hospital would not have to notify its patients.
The company must notify its customers and they can then notify the DPA and the data subjects
A cloud service loses multiple hard drives containing personal data belonging to multiple customers. It must notify these customers as soon as it becomes aware of this violation. Its customers must notify the DPA and the persons concerned according to the data processed by the subcontractor.
Data breach settlement in Asia
Will Asia choose the European or American model? In Europe, the General Data Protection Regulation (GDPR) will be applied from May 25, 2018. In the United States, scandals related to the protection of personal data are multiplying. While several Asian countries are emerging as future champions in the processing of Big Data and artificial intelligence, is the protection of personal data progressing there?
Improvements in China
The protection of personal data entrusted by individuals to companies in China has developed very quickly, especially with the Cybersecurity Law of 2016, 11 articles of which are devoted to data protection. It establishes general principles, clarified by guidelines published in December 2017. These have been applicable since 1 May 2018 and the experts underline the similarities with the European approach. Like the GDPR, these guidelines are applicable to all businesses in all industries. This is a fundamental difference with the American sector approach. Rights that characterize the GDPR are present there, such as the right to data portability, allowing them to be recovered for transfer to a competitor.
However, China’s goal is not to go as far as Europe on the protection of personal data. Those responsible for designing the 2017 guidelines have publicly expressed their goal of finding a position tougher than that of the United States, but less than that of Europe. There is also a debate in the country between supporters of less regulation in favor of the development of industries such as artificial intelligence and supporters of better protection of citizens against repeated fraud and abuse. As such, the last draft of the guidelines contained more protections than the final version, whose provisions were weakened by the negotiations. The situation will continue to evolve rapidly as further clarifications are awaited, as well as a law specifically dedicated to the protection of personal data.
The government, however, retains wide access to data for various reasons, such as security issues or for the rating of citizens, whose vague contours of the “social credit system” are still poorly understood and debated by research. It is clear that technological developments make government surveillance more effective, the exact opposite of what those who saw the arrival of the Internet in China as an obligation of liberal evolution for the regime hoped for. For individuals who entrust their personal data to companies, their rights are reinforced and the risks of leaks and other bad practices reduced, provided that the application of the rules is effective. On the other hand, they have no means of recourse in the event of infringement of their rights by the State.
Japan and Korea like in Europe?
The situation is better in the two hyperconnected companies of South Korea and Japan. Progress is also very rapid here and in line with European law. The convergence is so marked that the European Commission has opened discussions with the two countries, in order to recognize their level of protection as “essentially equivalent” to that of the European Union. Such a decision, provided for by the GDPR, would allow the export of data from Europe to these countries without restriction.
However, some problems are likely to raise doubts with the European Commission. First, in Japan as in South Korea, the notion of personal data receives a narrower definition than in Europe, which could exclude certain information from the scope of application. Then, several experts fear that the data imported from Europe could then be re-exported to less protective countries, Tokyo and Seoul having indeed commitments with their Pacific neighbors. An additional difficulty for Korea is the absence of an independent local “CNIL”, the role of controller being assumed by the Ministry of the Interior. Negotiations are ongoing and the decision of the European Commission should be known this year.
Protecion of personal data is progressing in Asia
The situation is also changing rapidly in other Asian states, many of which prefer a global data law rather than various sectoral texts. In other words, the European approach rather than the American one. Hong Kong, Taiwan, the Philippines or Singapore are among those who have reformed their law by including more European characteristics. India is currently exploring the possibilities. Without reaching the Korean and Japanese levels, each of these countries looks towards European law and gradually imports more elements.
However, there is still a lot of progress to be made and the effective application of these new rights remains to be verified. This will go through control authorities with significant resources, corresponding to the strengthening of their missions. The challenge is also the same for Europe, without it being certain that it can fulfill its role as a model on this point.
Data Breach Fines and Settlement Examples
- March: Anonymous (hacker group) leaked the contents of a database from State Corporation for Space Activities Roscosmos amidst the 2022 Russian invasion of Ukraine.
- July: Leak of Shanghai National Police Database.
- Meta Platforms Ireland Limited (MPIL) got find of €265 million from Ireland Data Protection Commission, for breaching data protection rules. The inquiry began in April 2021, when it was revealed that Facebook personal data had been made available on an online hacking forum.
- In addition to the administrative fines, the Restricted Committee has also adopted an injunction under penalty so that the companies make available to Internet users located in France, within a period of 3 months from the notification of the decision, a means allowing them to refuse the cookies as simply as the existing one to accept them, in order to guarantee the freedom of their consent. Otherwise, the companies will be liable to pay a penalty payment of 100,000 euros per day of delay.
- On December 28, 2021, the restricted CNIL (Commission Nationale Informatique & Libertés, is the French Data Protection Agency) fined SLIMPAY a fine of € 180,000, in particular for having insufficiently protected the personal data of users and not having informed them of a data breach. Source: CNIL.
- Amazon Europe Core Sarl got fine of €746,000,000 from Luxembourg (CNPD) for non-compliance with GDPR (General Data Processing Principles.
- WhatsApp Ireland Ltd got fine of €225 million from Ireland Data Protection Commission for a series of cross-border data protection infringements under the General Data Protection Regulation (GDPR).
- Capital One Credit Card Data Breach Class Action Reveals Millions Affected got fine of US$190 million. According to the class action lawsuit filed in the Superior Court of Quebec, Capital One and Amazon failed in their duty to adequately protect the personal data of credit card holders, thereby enabling a data breach in 2019.Defendants not only failed in their duty to protect Capital One credit card data, they also delayed notice to class members, according to the class action lawsuit against Capital One. The data theft allegedly happened on March 22 and 23, 2019 and was discovered on July 17, 2019. However, the data breach was not disclosed to the public until July 29, 2019.”This case involves one of the largest personal data breaches in history,” the data breach class action lawsuit states. Read more on: https://www.capitalonesettlement.com/en
- Google LLC got fine of €50,000,000 from France (CNIL) for insufficient transparency, control, and consent over the processing of personal data for the purposes of behavioural advertising.
- British Airways got fine of £183,000,000 from UK (ICO) for the use of poor security arrangements that resulted in a 2018 web skimming attack affecting 500,000 consumers. Was later reduced to £20 million.
- The Cambridge Analytica case.
At the end of March 2018, the Cambridge Analytica scandal had serious consequences for Facebook: a stock market price that fell by US$ 8 billion and the deletion of several million user profiles, thus depriving the social network of immediate advertising revenue. Not to mention the loss of confidence of 40% of Internet users which will certainly affect GAFA’s (Google, Apple, Facebook et Amazon) medium-term accounts.
- Hospital do Barreiro got fine of €400,000 from Portugal (CNPD) for”…based on access policies to databases, which allowed technicians and physicians to consult patients’ clinical files, without proper authorization”.