Breach Notification Tracker

    Breach Notification Tracker

    This tracker is powered by the Databreachpedia™ Global Law Engine, an innovative solution that integrates breach notification laws directly into the OneTrust platform. Databreachpedia maps out the requirements for managing and notifying personal data breaches in every country across the globe.

    Last Updated: March 15, 2019


  • Europe

    Click on the countries below for further information about their personal data breach notification regimes.

    AustriaBelgiumBulgariaCroatiaCyprusCzechiaDenmarkEstonia

    FinlandFranceGermanyGreeceHungaryIcelandIreland ~ ItalyLatvia

    LiechtensteinLithuaniaLuxembourgMaltaNetherlandsNorwayPoland

    PortugalRomaniaSlovakiaSloveniaSpainSwedenUnited Kingdom

     

  • North America

    Click on the states & countries below for further information about their personal data breach notification regimes.

    Alabama ~ Alaska ~ Arizona ~ Arkansas ~ California ~ Colorado ~ Connecticut

    Delaware ~ Florida ~ Georgia ~ Hawaii ~ Idaho ~ Illinois ~ Indiana ~ Iowa ~ Kansas

    Kentucky ~ Louisiana ~ Maine ~ Maryland ~ Massachusetts ~ Michigan ~ Minnesota

    Mississippi ~ Missouri ~ Montana ~ Nebraska ~ Nevada ~ New Hampshire

    New Jersey ~ New Mexico ~ New York ~ North Carolina ~ North Dakota ~ Ohio

    Oklahoma ~ Oregon ~ Pennsylvania ~ Rhode Island ~ South Carolina

    South Dakota ~ Tennessee ~ Texas ~ Utah ~ Vermont ~ Virginia ~ Washington

    West Virginia ~ Wisconsin ~ Wyoming ~ District of Columbia

    Guam ~ Puerto Rico ~ Virgin Islands ~ Canada

     

  • Asia-Pacific

    Click on the countries below for further information about their personal data breach notification regimes.

    Singapore ~ Australia ~ New Zealand ~ China ~ India ~ Japan ~ Indonesia ~ Philippines ~ Russia ~ South Korea ~ Hong Kong ~ Taiwan

     

  • South & Central America

    Click on the countries below for further information about their personal data breach notification regimes.

    Brazil ~ Colombia ~ Costa Rica ~ Mexico ~ Peru ~ Uruguay

     

  • Africa & Middle East

    Click on the countries below for further information about their personal data breach notification regimes.

    Angola ~ Botswana ~ Ghana ~ Israel ~ Lesotho

    Mauritius ~ Qatar~ South Africa ~ Turkey ~ Dubai DIFC

     

  • Understanding the Requirements

    What is the role of data breach notification under privacy law?

    Incident and breach management is an important privacy tool enhancing compliance in relation to the protection of personal data. It is one of the tools for mitigating and preventing risks to the rights and freedoms of individuals via notifying supervisory authorities upon learning of personal data breach and (under certain conditions) notifying data subjects as well.

    Despite it being a new element introduced by the European General Data Protection Regulation (EU) 2016/679, ‘GDPR’, into the EU privacy legislation, similar obligations were already in place for certain organizations (e.g. providers of publicly available electronic communications services or digital service providers. Also, certain EU Member States (e.g. the Netherlands) have had the personal data breach notification obligation in place even under the previous regime of the Directive EC/46/95.

    Furthermore, many states globally already operate with privacy breach notification laws in place, for example, each one of the U.S. states has its own breach notification laws and particular obligations. Same goes for Australia, Canada, Singapore, New Zealand and many other countries globally.

    What is considered a personal data breach?

    A personal data breach is typically defined similarly across jurisdictions globally, however, there are always nuances per each country – with some countries stipulating specific thresholds on notifiable personal data breaches, while others would define personal data slightly differently which in turn affects the definition of a personal data breach as a whole. The common denominator is that a breach can occur both as an accident and deliberately and entails more than just a problem of losing personal data.

    Difference among an incident, security breach, and personal data breach.
    There is an important difference between security incidents, security breach, and personal data breach. This difference determines whether the relevant privacy legislation (GDPR or any other depending on jurisdiction) along with the host of its obligations are applicable. Let’s clarify the vocabulary:

    Security incident

    = an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system

    Examples: theft and burglary, natural disasters, data line failure, system crash, unauthorised access or use of system resources, massive virus attacks etc.

    Security Breach

    = any incident that actually results in jeopardy of confidentiality, integrity, or availability of an information system

    Example: Due to a theft, company data is stolen. Depending on whether the data also includes personal data the security breach can become a personal data breach, or not.

    Personal Data Breach

    = definition is dependent upon jurisdiction, e.g. for EU/EEA: breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data (GDPR Art. 4(12)).

    Example: Company data is hacked and it involves personal data of the company’s clients.

  • Challenge of Global Breach Notifications

    Even though breach notification may be a relatively new instrument under the GDPR, it certainly isn’t unique from a global perspective. There is a large number of states globally that have mandatory personal data breach notification laws in place and there are new ones joining seemingly every day, most recently e.g. Canada’s breach notification obligation under the PIPEDA law – effective as of November 1st, 2018.

    Challenge Checklist

    1. Every jurisdiction has a slightly different definition of personal data or personal information, and of what constitutes personal data breach.
    2. Every jurisdiction has different notification requirements – some expect you to only notify individuals, some require organisations to notify multiple regulatory bodies. The deadlines for breach notification also range between hours, months or no concrete deadlines at all.
    3. There may be specific forms prescribed for notifying individuals (e.g. in the U.S.) in each state, and for regulatory notification – regulators will likely have specific preferred channels and forms for notification. Some would require notification via email or fax, others would seek authorized signatures on the breach notification form.
    4. In the EU, the majority of the regulators have by now introduced their own breach notification forms that (although not strictly mandatory) are recommended for use by the controllers and should facilitate the breach evaluation and investigation from the regulator’s side. These forms go often well beyond the minimum information contained in the GDPR, be prepared to answer more in-depth questions about the breach: e.g. current Belgian DPA breach notification form is 17 pages long.

    Databreachpedia was designed with these challenges in mind. We aim to help you navigate the complex and ever-changing landscape of global data breach notification requirements. Leverage the comparative information in Databreachpedia to build your global incident and breach response program.

Want to learn more? Login to the full DataGuidance platform.