A confusing mix of digital incident notification laws

We note divergent digital law trends of statutory nature – many of which have been going on for some time, starting-out two or even three decades ago. Just to give an idea in an at random sequence: modernizing and extending intellectual property laws, updating penal legislation with new crimes like hacking and computer sabotage, amending the Criminal Procedure Code with extensive powers for the police and public prosecution, strengthening the legal position of the online consumer, introducing and tightening data privacy laws, adjusting evidence laws, and implementing security regulations.

At least one other legislative line dates particularly from the new century: enacting security breach notification laws or data security notification laws. This trend has been picking-up steadily. As yet the last European achievement the Network and Information Security Directive (2016/1148) joins the stage – the first piece of EU-wide legislation on cybersecurity that Member States had to convert into their own legislation; by May 9, 2018
at the latest. But the whole thing probably originated in the United States, when California SB 136 became effective on July 1, 2003. (At this time, almost all states have this type of legislation in place.) We were caught by surprise. In Europe, digital legislation has been ‘eating the world’ since day one for enabling the information society in optima forma, contrary to the US where regulation is considered the perfect tool for blocking innovation. Nevertheless the State of California took a lead in order to curb the escalating number of breaches of consumer databases. At least one major digital legislative trend dates particularly from the new century: enacting security breach notification laws or data security notification laws.

Any breach of the security of personally identifiable information must be notified to the owner or licensee of that data. Although the terms ‘personally identifiable information’ (US) and ‘personal data’ (EU) differ (the European approach is broader), the concept behind these privacy rights is more or less the same, except that the European Union has chosen for a general notification obligation to a regulator with sanctioning authority plus an additional, more incidental obligation to inform the data subject in specified occasions at the same time.

So far, so good. At first sight there seems hardly anything wrong with legal provisions that aim to create trust in digital systems and their providers and users as well as mitigating or preventing damages. The answer is simple. The concept of a duty to report became so popular by legislators that they extended it to other varieties of digital incidents. It spread from a breach of the security of personal data to circumstances such as the loss of integrity and a failure of information systems. Moreover, the different incidents must be reported under different categories of statutory law (privacy, telecommunications, financial, electronic identity, and for example cybersecurity legislation) if certain criteria are met and towards different regulators or supervising bodies.

The increase of statutory reporting duties for different categories of digital incidents towards different regulators creates confusion for managers and legal departments and substantial liabilities for the boardroom.

And without doubt, incident coincidence will also occur in practice, which means that a digital incident must be reported to more than one authority, each of which notifications is governed by its own formal and material regulations and provisions. A loss of integrity may very well include a personal data breach. Therefore, the first incident must be reported to a CSIRT, later to the data privacy authority.

It could be even more complex. Based on the newly enacted Network and Information Security Act in the Netherlands (the implementation of the NIS Directive at large), Agentschap Telecom supervises digital service providers that fall under this law. The agency also checks whether parties have met their duty of care and reporting. Another organisation of the same Ministry of Economic Affairs and Climate Policy, CSIRT-DSP (the Computer

Security Incident Response Team Digital Service Providers), has the task of advising on incident prevention and risk analysis on how to prevent incidents and to assist in resolving them. This means, therefore, that a digital service provider is legally obliged to report to both authorities in the event of incidents that require reporting. The good news is, however, that one website deals with both notifications simultaneously.

Let us not forget that a notification obligation for a digital incident may also arise from contract law in general (based on the bona fides and/or a general duty to mitigate damages) or from a specific notification clause in an agreement, when applicable. In other circumstances, tort law can be a trigger for mandatory reporting. So, many digital incident reporting duties are among us and this legal concept will proba-
bly conquer more land, because trust often lacks in today’s digital world. Only a detailed and yet comprehensive internal policy will support organisations to cope with this rather confusing digital law trend, where non-compliance may lead to liability and heavy fines, and to bad publicity for sure.

 

Source: DATA, CYBERSECURITY & PRIVACY Magazine, April 2019, p34-35