Breach Notification - Reporting Data Leaks
About 2 min read
Breach notification is the legal obligation to notify affected individuals and supervisory authorities within a set period when a data breach occurs. Spurred by the enforcement of the GDPR (in 2018), this obligation has spread across the world, and cases in which delayed or deficient notification incurs hefty fines are increasing. It is an area that demands not only a technical response to the security incident but also an organization-wide response process involving legal, public relations, and management.
Historical Background
The legislation of breach notification is considered to have begun with California's SB-1386 in 2003, the first in the world. At the time, the very concept of a notification obligation was new, and many companies got away with not disclosing breaches. Later, in 2018, the EU's GDPR mandated notification to authorities within 72 hours, making breach notification an unavoidable legal requirement for global companies. In Japan as well, the 2022 amendment to the Act on the Protection of Personal Information made the reporting and notification of breaches mandatory.
Comparison of Notification Requirements Across Major Regulations
| Item | GDPR (EU) | Act on the Protection of Personal Information (Japan) | CCPA/CPRA (California, USA) |
|---|---|---|---|
| Deadline for notifying authorities | Within 72 hours of becoming aware | Preliminary report: within 3-5 days / Final report: within 30 days | Within a reasonable period (no explicit time limit) |
| Notification to the data subject | Without undue delay when high-risk | Notification obligation as a general rule | Notify without delay |
| Breaches subject to notification | Personal data breaches in general | Sensitive personal information, more than 1,000 individuals, malicious intent, etc. | Unencrypted personal information |
| Maximum fine | 4% of global turnover or 20 million euros | A fine of up to 100 million yen for violating an order | $7,500 per violation (intentional violations) |
| Recipient of notification | Supervisory authority (DPA) | Personal Information Protection Commission | California Attorney General |
The Notification Timeline and Mandatory Items
The notification must include the following information: the nature of the breach and the types of data affected, an estimate of the number of people affected, the anticipated risks and impact, the measures taken and the plan for future response, and the contact details for inquiries. Without a well-established incident response framework, assembling this information within 72 hours is extremely difficult.
The Risks of Delayed Notification
Delayed notification not only results in fines but also fundamentally damages corporate trust. In the 2019 British Airways case, a fine of about 20 million pounds was imposed for a GDPR violation. Uber concealed its 2016 breach for over a year and ultimately paid a settlement of 148 million dollars. In Japan as well, violating the notification obligation is subject to administrative guidance and recommendations, accompanied by reputational risk from the public disclosure of the company name. From a compliance perspective, preparation in normal times is decisively important.
Practical Preparedness
"We conduct breach notification drills twice a year. By repeatedly practicing the exercise of completing the notification documents within 72 hours during a simulated incident, we have built a framework that lets us respond calmly even during an actual incident."
The practical points are preparing notification templates in advance, establishing a coordination flow among legal, public relations, and IT, and conducting regular drills. By routinely understanding the scope of how personal information is handled, identifying the scope of impact during a breach becomes faster. The overall picture of incident response is explained in the incident response guide for individuals, and the concrete procedures when a breach occurs are explained in the practical guide to data breach response.incident response books on Amazon are also helpful for acquiring practical knowledge.
Common Misconceptions
Some companies believe that "if data is encrypted, no notification is needed," but this varies by jurisdiction. Under the CCPA, only breaches of unencrypted data are subject to notification, whereas under the GDPR, breaches of personal data are reportable regardless of whether they were encrypted. There is also a misconception that "if the breach is small in scale, there is no need to notify," but under Japan's Act on the Protection of Personal Information, a reporting obligation arises even if just one piece of sensitive personal information is leaked. For reviewing your privacy settings, please also refer to the privacy settings guide.
Was this article helpful?