Certified Information Privacy Professional (CIPP): Common - Data Breach Notification, Global Overview

CIPP (US?&?EU) – Data Breach Notification – Global Overview

What This Is

Data?breach notification is the legal duty to tell regulators, affected individuals, and sometimes the public when personal data is accessed, disclosed, or destroyed without authorization. It’s a “red?flag” requirement that turns a security incident into a compliance event. Imagine a multinational retailer that stores EU?customer purchase histories in a U.S. cloud. A hacker steals a backup file containing those records. The retailer must decide who to notify, when, and what to say—under GDPR (EU), CCPA/CPRA (California), HIPAA (U.S. health), and other breach?law regimes. Failure to notify on time or to the right parties can trigger massive fines, reputational damage, and private?right lawsuits.

Key Terms & Provisions

• Data Breach (GDPR Art.?4(12)) – A breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data.
• Notification Deadline (GDPR Art.?33) – Controllers must inform the supervisory authority within 72?hours of becoming aware of a breach (unless unlikely to risk individuals’ rights).
• Breach Notification (CCPA/CPRA §?1798.150?.155) – Covered businesses must notify California residents “in the most expedient time possible and without unreasonable delay” (generally within 30?days).
• HIPAA Breach Notification Rule (45?C.F.R.?§?164.404) – Covered entities must notify affected individuals within 60?days of discovery; the HHS OCR must be notified within 60?days for breaches affecting ?500 individuals, and within 30?days for <500.
• “Reasonable” vs. “Prompt” (ePrivacy Directive Art.?5(3)) – For electronic communications, the data?controller must inform users “without undue delay” after a breach.
• “Notifiable” Threshold (US State Laws) – Many U.S. statutes (e.g., NY SHIELD, Texas) trigger notification only if ?500 individuals are affected; some (e.g., Virginia) use a 100?person threshold.
• “Controller” vs. “Processor” (GDPR Art.?4) – Controllers decide why and how data is processed; processors act on the controller’s instructions. Controllers bear the primary notification duty, but processors must assist and may be directly liable if they fail to cooperate.
• “Covered Entity” & “Business Associate” (HIPAA 45?C.F.R.?§?160.103) – Covered entities (e.g., hospitals) must notify; Business Associates (e.g., cloud?hosting firms) must notify the entity and may have direct notification duties under the Business Associate Agreement (BAA).
• “Reasonable Security Measures” (GLBA §?501(b)) – Financial institutions must have a written information security program; breach notification is required when the program fails and personal information is compromised.
• “Data Subject” (GDPR Art.?4) – The individual whose personal data is involved; they have a right to be informed of a breach that may affect their rights or freedoms.
• “Breach Impact Assessment” (NIST SP?800?61 Rev.?2) – A systematic process to evaluate the scope, severity, and remediation steps of a breach; often used as the internal basis for meeting external notification deadlines.

Step?by?Step / Process Flow

1. Detect & Contain – Log the incident, isolate affected systems, and preserve evidence (forensic images, logs).
2. Classify the Breach – Determine data types, volume, and sensitivity (e.g., health data, financial data, EU?resident data).
3. Assess Jurisdictional Triggers – Identify which laws apply (GDPR, CCPA, HIPAA, state statutes) based on data subjects, location of the controller/processor, and data type.
4. Notify Internal Stakeholders – Activate the incident?response team, legal counsel, and senior management; assign a breach liaison.
5. Prepare & Send Notifications –
6. Regulators: Submit required forms (e.g., GDPR 72?hour report, HHS OCR 60?day form).
7. Individuals: Draft clear, plain?language notices (what happened, what data, risk, steps to protect, contact info).
8. Public (if required): Issue press releases or website alerts when media coverage is likely.
9. Document & Review – Keep a breach register, record decisions, and conduct a post?mortem DPIA or risk?assessment to prevent recurrence.

Common Mistakes

CIPP Exam Insights

1. Deadline Differentiation – Exams love to ask you to pick the correct notification window (72?hrs GDPR vs. 30?days CCPA vs. 60?days HIPAA). Remember the “72?hour rule” is to the authority, not the individuals.
2. Scope Triggers – Know that GDPR Art.?3(2) applies to non?EU controllers that target EU data subjects (e.g., offering goods to EU residents). This is a frequent “trick” question.
3. Controller vs. Processor Liability – The controller must notify the authority; the processor must assist and may be fined for non?cooperation. Many candidates confuse who sends the consumer notice.
4. State?Law Thresholds – Be ready to identify which U.S. states have lower thresholds (Virginia?100, Nevada?250) versus the “500?person” norm.

Quick Check Questions

1. Scenario: A U.S. SaaS provider discovers that a backup containing EU customers’ email addresses was exposed. The provider has no EU office.
   Answer: The provider must notify the relevant EU supervisory authority within 72?hours (GDPR Art.?33) because it targets EU data subjects.
   Explanation: Targeting (offering services to EU residents) triggers GDPR extraterritorial scope even without a physical EU presence.

2. Scenario: A California?based health?tech startup (covered entity under HIPAA) learns that a laptop containing 300 patient records was stolen.
   Answer: The startup must notify the affected individuals within 60?days and the HHS OCR within 60?days (since ?500 records are involved).
   Explanation: HIPAA’s breach?notification rule applies to any breach of protected health information; the 60?day deadline is the same for both individuals and OCR when the breach affects 500+ individuals.

3. Scenario: A retailer experiences a breach affecting 150 California residents’ names and purchase histories. The breach is discovered on March?1.
   Answer: The retailer must send the consumer notice as soon as practicable and without unreasonable delay, but no later than 30?days after discovery (CCPA/CPRA).
   Explanation: CCPA/CPRA requires “most expedient time possible” and caps the deadline at 30?days; the retailer should aim for the earliest feasible notice.

Last?Minute Cram Sheet (10 One?Liners)

1. GDPR Art.?33 – 72?hour rule: Notify the supervisory authority within 72?hrs of breach awareness.
2. CCPA/CPRA §?1798.150 – 30?day rule: Consumer notice must be sent within 30?days of discovery.
3. HIPAA 45?C.F.R.?§?164.404 – 60?day rule: Affected individuals and HHS OCR must be notified within 60?days (?500 records).
4. ePrivacy Directive Art.?5(3) – “Prompt”: Electronic?communication providers must inform users “without undue delay.”
5. GLBA §?501(b) – Financial breach: Any breach of “nonpublic personal information” triggers notification to affected customers.
6. State?Law thresholds: VA?=?100, NV?=?250, most others?=?500 individuals.
7. Controller vs. Processor: Controller notifies; Processor assists and may be fined for non?cooperation.
8. “Targeting” test (GDPR Art.?3): Offering goods/services or monitoring EU residents-GDPR applies, even without EU office.
9. GDPR Art.?3 applies to non?EU companies if they target EU data subjects – “targeting” not just accessibility.
10. Landmark case: Google Spain SL v. AEPD (C?131/12) – established “right to be forgotten” and reinforced the extraterritorial reach of GDPR.

Use this sheet to jog your memory on the most exam?relevant numbers, deadlines, and jurisdictional triggers. Good luck!