Financial Crime World

Here is the converted article in Markdown format:

Significant Harm Caused by Data Breaches: New Guidelines Issued

In an effort to protect individuals from the devastating consequences of data breaches, new guidelines have been issued by the Personal Data Protection Commission (PDPC) regarding the notification of significant harm caused by such breaches.

What Constitutes a Notifiable Data Breach?

According to the guidelines, a data breach is considered notifiable if it results in significant harm to affected individuals. This can include:

  • Physical harm
  • Psychological, emotional, or financial harm
  • Harm to reputation
  • Other forms of harm that a reasonable person would identify as a possible outcome of a data breach

Prescribed Personal Data and Threshold for Significant Scale Breaches

The PDPC has identified certain personal data that is deemed to result in significant harm if compromised in a data breach, including:

  • Credit card numbers
  • Social security numbers
  • Biometric data

If a data breach involves any of these types of personal data, the organization must notify the affected individuals and the Commission.

Additionally, the PDPC has established a threshold for significant scale breaches. A data breach that affects 500 or more individuals is considered a significant scale breach and requires notification to the Commission, even if it does not involve any prescribed personal data.

Timely Notification

The guidelines emphasize the importance of timely notification in cases where a data breach has occurred. Organizations must notify the Commission as soon as practicable, but no later than three calendar days after determining that the breach is notifiable. Affected individuals must also be notified at the same time or after notifying the Commission.

Infographic: Timelines for Assessment and Notification of Data Breaches

The PDPC has provided an infographic to help organizations navigate the timelines for assessment and notification of data breaches.

Requirements for Notifications

In order to ensure proactive steps are taken by organizations to manage and remediate data breaches, the guidelines require that notifications include:

  • The date on which and circumstances in which the organization first became aware of the breach
  • How the breach occurred
  • The number of affected individuals
  • The type of personal data involved
  • The potential harm caused

Proactive Measures

The PDPC is urging organizations to take proactive measures to prevent data breaches from occurring in the first place. However, for those that do occur, the guidelines provide a framework for notification and remediation to minimize the harm caused to affected individuals.

Key Takeaways:

  • A data breach is considered notifiable if it results in significant harm to affected individuals.
  • Certain personal data, such as credit card numbers and social security numbers, are deemed to result in significant harm if compromised in a data breach.
  • A data breach that affects 500 or more individuals is considered a significant scale breach and requires notification to the Commission.
  • Organizations must notify the Commission and affected individuals in a timely manner after determining that a breach is notifiable.
  • Notifications must include relevant details of the breach.

Resources:

  • PDPC Guidelines for Notification of Data Breaches
  • Infographic: Timelines for Assessment and Notification of Data Breaches