What is a mandatory breach notification provision? Mandatory breach notification provisions simply means that an organization is required to disclose to the public the advent of an unwanted cybersecurity and/or data breach intrusion. Why is it important? For many reasons. First, it tells the consumer that his/her privacy has been compromised. It further serves to puts the affected consumer on notice of potential identify theft or fraud. The more important reason underlying the necessity of mandatory breach notification provisions is that it forces companies to maintain stronger data management practices in order to protect the information of its consumers, and punishes those who don’t through the reputational harm and devaluation through negative publicity. Without mandatory breach notification provisions, or regulatory fines, consumers have very little protection, and companies very little incentive to safeguard the privacy of their consumers.
Germany recently released its proposed amendments to the German Federal Office for Information Security Law. Among the more noteworthy proposed amendments are the establishment of a new duty to notify the German Federal Office for Information Security in the event of a cybersecurity breach. The mandatory breach notification duty would apply to operators of critical infrastructure in the energy, IT and telecommunications, transport and traffic, health, water, food, finance and insurance sectors.
Under the proposed amendment, operators would be required to immediately inform the German Federal Office for Information Security in the event their IT systems, components or processes suffer a significant adverse impact caused by a cybersecurity incident. The provision adopts similar words than the notification requirement described in the European Commission’s cybersecurity strategy and draft network and information security directive.
On March 5, Costa Rica published the Reglamento a la Ley de Protección de la Persona Frente al Tratamiento de sus Datos Personales (Regulations of the Law of Protection of the Person in the Processing of His Personal Data) (the “Regulations”). The new regulation includes a mandatory breach notification provision.
Canada’s Personal Information Protection and Electronic Documents Act does not yet include regulatory fines or mandatory breach notification provisions.
