Companies are increasingly using third party ‘cloud’ services to remotely store and process data. These solutions often result in data moving across borders and being stored in multiple locations worldwide.
This geographical diversity presents significant challenges for companies in the event of an actual or suspected data security breach; navigating legal obligations regarding privacy, data security and breach notifications requirements in multiple jurisdictions can be daunting.
We offer eight tips to manage cross-jurisdictional risk and respond effectively in the event of a breach.
Managing regulatory compliance across national boundaries demands a co-ordinated strategy and action plan that meets the legal requirements of multiple countries.
Co-ordinating your strategy reduces the risk that a regulatory response in one jurisdiction will negatively impact outcomes in a second jurisdiction. It gives oversight of the overall strategy (including managing admissions and evidence) and primary responsibility for protecting the organisation’s rights. This is important to preserve legal professional privilege and manage discovery obligations.
Consider informing relevant regulators and affected parties of a suspected breach rather than allowing them to become aware of a breach via media reports or investigations in other jurisdictions.
Being proactive often results in better relationships with the regulator and may lead to improved regulatory outcomes.
Dealing reactively with each jurisdiction in a piecemeal manner risks amplifying negative publicity, brand damage and may even impact insurance arrangements.
Determine which jurisdiction will take the lead in co-ordinating the response to a breach in data security. The lead jurisdiction takes responsibility for identifying the affected jurisdictions and obtaining advice in each to determine:
The lead jurisdiction co-ordinates the response strategy to inform staff and if required, respond to media requests or reports.
The first step in developing a regulatory response strategy is to know in which countries you will have legal obligations. This requires intimate knowledge of your data. Where is it? Where is it stored? Where are the relevant servers? How will this affect any claims for legal professional privilege in different jurisdictions? Are data transfer arrangements fit for purpose?
Armed with this knowledge you can identify the most likely countries where you will have legal obligations.
Ensure you have access to legal counsel who are able to advise in relation to these jurisdictions you have identified
A skilled lawyer will advise you on the extent of your obligations and what you need to do in the event of a data breach. A key question is: does transferring data to that jurisdiction (including via email in foreign countries if your server is hosted in that jurisdiction) make those documents potentially discoverable in the event the matter is brought to Court?
In addition to the laws of the jurisdiction in which the data is stored, organisations may also be subject to local data protection and privacy laws in their ‘home’ jurisdictions (where they have operations).
For instance, Australia’s Privacy Act 1988 (Cth) provides that conduct outside Australia with an Australian link may amount to a breach of the Act despite the data being stored elsewhere, unless that conduct is required by the law of that jurisdiction.
The next step is to review your agreements with service providers to determine whether:
Critical to this is ensuring necessary contact details for your organisation, service providers, legal advisors and regulators are kept up to date and accessible.
Privacy related matters are inherently personal and therefore are significant to customer and supplier relationships, as well as staff engagement and morale. Particularly where the circumstances of the actual or potential breach become public, it is important for organisations to proactively communicate with affected customers, suppliers and employees.
Once an actual or suspected breach has been addressed the lead co-ordinator should identify any improvements to business processes, systems or arrangements that can prevent or minimise future occurrences. For example, staff education and compliance training may be enhanced, or improvements made to contractual arrangements or supplier selection criteria, or system improvements could be made to allow earlier detection of potential issues.
An earlier version of this article was published in Privacy Unbound (February 2015).
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.