Data breach laws: would you know if your personal information was compromised?

If your personal information was involved in a data breach, would you know?   While it’s unfortunately become the norm to see data breaches announced in the headline, it’s not always clear who has been impacted by a breach and what specific data was lost, stolen or compromised.

As consumers, patients and citizens, we may expect to be notified when a breach impacts us – but whether that’s a legal obligation will depend on the laws in your jurisdiction. In Canada, federal breach reporting rules came into effect on November 1, 2018 while Europe’s breach notification rules were implemented by the GDPR earlier in 2018. While the US doesn’t currently have federal legislation in place, most states have implemented laws to address data breaches.

However, levels of protection vary – just because legislation exists in your area doesn’t mean that it will be meaningful or effective. Here are few important ways in which different jurisdictions vary in how they handle data breaches:

1. What information is protected.

Most jurisdictions require breach notification when it impacts personal information that could expose someone to a risk of identity theft, fraud, or other financial harm. This includes information like your name, social security/insurance number, driver’s license information or other sensitive government-issued identification information. Some states and countries also include health and medical information, and other types of personal information that could lead to social, emotional or physical harm. It’s worth noting that in addition to general data breach laws, some industries have additional rules to follow. For example, HIPAA (the Health Insurance Portability and Accountability Act) is federal United States legislation that includes additional breach notification and reporting requirements for the healthcare industry.

2. Whether and when impacted individuals need to be notified.

While we might hope that companies and organizations would notify us in the event of any compromise of our personal information, laws vary. In some jurisdictions, organizations are only required to notify individuals affected by a breach if that breach passes a “harm test”. Harm tests typically require an assessment of the risk of harm, including both how likely harm is to occur and how severe the harm could be if it occurred. If a breach doesn’t seem likely to cause harm or that harm would not meet a certain level of severity, organizations may not be required to notify individuals affected by a breach.

3. If breaches need to be reported to government agencies, law enforcement, consumer reporting agencies or other organizations.

In some jurisdictions, harm tests also will determine whether data breaches need to be reported to government or consumer reporting agencies. The specific organizations that are responsible for receiving reports vary by location. For example, in Canada, breaches may need to be reported to the federal Privacy Commissioner and, if it would help mitigate the breach or lower the likelihood of harm occurring, law enforcement and other agencies may need to be notified. In the US, reporting requirements vary by state – some require breaches to be reported to the Attorney General, others require consumer reporting agencies like credit bureaus to be notified, and others require both.

If you live in the United States, law firm Davis Wright Tremaine LLP maintains a helpful website with an overview of data breach legislation and related obligations in each state. The site also tracks whether a “harms test” applies and provides an overview of reporting requirements.

That said, one of the most effective ways to identify whether you’ve been affected by a data breach isn’t to rely on organizations, but the compromised data itself: HaveIBeenPwned.com remains an important & well-recognised resource for identifying whether you’ve been the victim of a data breach.   Unfortunately, until reporting & notification laws become more widespread, consistent and effective, we can probably expect resources like HIBP to be more reliable at identifying and disclosing breaches than the organizations that we trust with our information.