Following on from Datonomy’s overview of the data breach notification trigger, we now move onto the content of the notification – what should go in it?
Again, we look to our American friends who have been there and “bought the t-shirt” to provide some examples as to what could go in the notification and how it should be communicated.
On one side, there is Californian law, under which a data breach notification can be made in writing or electronically or a substitute notice can be used where the cost of notification would exceed $250,000 or the number of people affected exceeds 500,000. A substitute notice requires emails to data subjects where addresses are available, conspicuous posting on the organisation’s website and notification to major state-wide media. This should be done in the “most expedient time possible and without unreasonable delay”. There is no prescriptive content (although this may be about to change).
This approach gives companies a lot of liberty to term a data breach notification as they wish. Indeed it would be possible, say, for companies to offer data protection services at the same time as issuing a notice, or even to bury a notice in marketing material.
What about a more prescriptive method? This has advantages in that recipients will be guaranteed a certain amount of information on a breach, which will hopefully enable them to take whatever action is appropriate in response. However, due to the diverse ways in which information can be lost, stolen, breached etc, is a formulaic method of notification the best approach, as it may not take into account the unique circumstances of each case?
Perhaps a hybrid approach would be better i.e. having certain information which must be included in every notice, and placing an obligation on organisations to provide such other information as may be relevant in the circumstances. However, leaving such decisions to the organisations themselves (as with the trigger for notifications) will require very careful wording in any legislation if it is to be effective.
If the Euro Telecoms Package eventually trickles down into national law, we will more than likely be looking to the ICO to provide guidance on this topic, which may well incorporate one of the above approaches. As for which approach would be best for industry, that is open for debate.
Just some food for thought on a rainy Friday afternoon.