Data Breach Automation
Try Free
Data Breach Automation
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
The notification referred to in shall at least:
- Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- Describe the likely consequences of the personal data breach;
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Among the rights the CCPA endows on California consumers, is the right to bring an action for statutory damages if the consumer’s information is subject to a data breach. This right, however, only applies to certain kinds of data breaches.
In order for a data breach to be actionable, three requirements must be met:
First, the information must be personal information, not as broadly defined by the CCPA, but as narrowly defined by California’s data breach notification law. This is welcome news to breached entities who are wary of consumer actions.
The CCPA’s broad definition of “personal information,” which would apply to virtually every other part of the Act, is any “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” By contrast, the much narrower definition applicable to the data breach notification law lists specific types of information that qualify as personal information, such as a first name or initial combined with social security number.
Second, the personal information must be nonencrypted and nonredacted. Note that the requirement that the information be both nonencrypted and nonredacted is a new requirement. thus narrowing the consumer’s right of action with but a single word.
Third, the breach must have been “a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
Breach notification laws have matured and are now global and mainstream. These laws are unique in their incident reporting requirements and continue to reduce the time organizations have to notify authorities of a breach. In some cases, this window is as little as 72 hours.Mos t of the incidents lack documentation, involve more data, and occur more frequently than ever before. Without automation and knowledge of global breach notification law, compliance and response will become growing challenges.
InfoComply breach incident automation software helps organizations centrally manage incidents, automate tasks, and maintain records for compliance and notification with global laws. The tool comes with integration to global regulation where in it is easy to search global notification rules . With InfoComply platform, organizations can build context-aware automated workflows that help your organization rapidly respond to incidents and enhance breach notification decision-making.