Businesses in Asia and their general counsel are faced with safeguarding against increasingly sophisticated cyber-threats while navigating a complex regulatory framework for incident disclosure. Chandu Gopalakrishnan reports
On 27 February this year, the general counsel of Australian businesses woke up to a new and worrying decision by the Australian government.
The authorities issued guidelines for boards of directors of companies operating in the region on better and timely action during cybersecurity incidents. What was unprecedented was the decision to hold the board responsible for timely disclosure of a cyber-crisis, and to make it liable for improper disclosure or no disclosure at all.
“Cybersecurity is the responsibility of everyone, including business,” wrote Clare O’Neil, Australia’s minister for cybersecurity, on her social media channels.
According to her, the new and stringent governance guidelines will hold Australian company directors to higher standards and help them respond “swiftly, accurately and transparently” during attacks.
“It will help companies know their obligations when it comes to protecting their cyber security and how best to respond to cyberattacks and ransom demands,” she wrote.
However, the newly issued guidelines do not mention any time window for the affected companies to make mandatory disclosure of an incident, the damage done and the possible ramifications.
“Organisations may also be required to notify contractual counterparties of the incident within a specific timeframe, and third parties may have a contractual right to attend the organisation’s premises for auditing purposes,” says an explanation under a section titled “Contractual implications”.
This clearly puts the onus of reporting an incident at the earliest and avoiding any form of misreporting firmly on the company board and, by extension, the general counsel of the business.
An exploratory look by Asia Business Law Journal has revealed that policy mindsets are similar across Asia.
EU developments, Asia effects
Data protection and data breach disclosure norms across the world faced a watershed moment in May 2018, when the EU implemented the General Data Protection Regulation, or GDPR.
Under the GDPR, organisations must report a personal data breach to the relevant supervisory authority without delay and, when feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to personal rights and freedoms.
If the notification is not made within 72 hours, it should be accompanied with reasons for the delay.
When the data breach is likely to result in a high risk to individuals, the organisation must also reveal the incident to those affected without undue delay.
Under the GDPR, failure to report a data breach within a 72-hour window, or failure to comply with any other requirement related to handling data breaches, can result in significant penalties.
The penalties for non-compliance with the GDPR, including failure to report a data breach on time, can be up to EUR20 million (USD21.7 million) or 4% of the firm’s total global annual turnover of the preceding financial year, whichever is higher.
The exact penalty within this framework depends on several factors including the nature, gravity and duration of the infringement, any actions taken by the firm to mitigate the damage, and any previous infringements by the firm.
The ambit of the GDPR goes beyond the EU. Under the regulations, if a company or organisation outside the EU offers goods or services to people in the EU or monitors their behaviour, the GDPR still applies to them.
Sensing the economic ramifications, several countries around Asia quickly moved to ensure their data security laws align with the GDPR, with Japan and South Korea leading the way. Both countries even made it onto the EU’s “white list” of countries outside the EU offering an adequate level of data protection.
US moves to centralisation
In the US, there is no single federal law that dictates a uniform timeframe for reporting cybersecurity incidents for all organisations across every sector. Instead, the US has a patchwork of state and sector-specific laws and regulations that govern data breach notifications.
Nearly every state in the US has its own data breach notification law, and these laws vary in terms of what constitutes a breach, what types of data are covered, and the timeline for notification.
Most states require notification of affected individuals without unreasonable delay, with specific timeframes usually set at 30 or 45 days after discovery of the breach.
There are also federal regulations, like the Health Insurance Portability and Accountability Act, that include data breach notification requirements for specific sectors.
The US federal government recently started working to establish more unified cybersecurity incident reporting requirements, particularly for critical infrastructure sectors.
For instance, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires certain critical infrastructure entities to report substantial data breaches to the Cybersecurity and Infrastructure Security Agency within 72 hours, and ransomware payments within 24 hours.
The US also imposes big-ticket penalties for non-disclosure of cybersecurity incidents.
One of the most significant penalties for the non-disclosure of a cyberattack involved the credit reporting agency Equifax. In September 2017, the company disclosed a massive data breach that had exposed the personal information of about 147 million people.
In response to the breach and its mishandling, including delays in disclosure and inadequate security measures that led to the breach, Equifax agreed to a global settlement that included the Consumer Financial Protection Bureau, the Federal Trade Commission, and 50 US states and territories.
The settlement, announced in July 2019, required Equifax to pay at least USD575 million and up to USD700 million as part of the penalty, and to provide affected consumers with credit monitoring services, which further increased the company’s costs associated with the breach.
Meanwhile, Asian counterparts were still playing catch-up when it came to disclosure norms.
Japan, then South Korea
In Japan, the Act on the Protection of Personal Information was revised significantly in 2020. While the act requires businesses to take necessary and proper measures to prevent leaks of personal data, it does not specify a strict timeline for reporting data breaches.
However, guidelines suggest promptly notifying affected individuals and the relevant authority, the Personal Information Protection Commission, when a significant breach occurs. Penalties for non-compliance include imprisonment for up to six months or fines of up to JPY500,000 (USD3,400), depending on the nature of the violation.
Other Asian countries soon followed suit. While cybersecurity incident disclosure became mandatory in most Asian countries, none of these respective provisions give specific time windows for organisations to report breaches, nor are they clear about what constitutes misreporting.
In South Korea, in the event of a data breach, the Personal Information Protection Act requires data handlers to immediately notify the affected individuals and, for breaches affecting more than 1,000 people, to also notify the Korea Internet & Security Agency and the Personal Information Protection Commission.
Keun Woo Lee, a partner at Yoon & Yang in Seoul, says: “If a cyber incident occurs, it must be reported unconditionally regardless of whether or not any personal information leak has occurred. Furthermore, if a personal information leak has indeed occurred, if certain standards are met as described above, a separate and additional report must be made as well.
“Companies may not want to report cyber incidents, but the current law imposes a reporting obligation in the event of an accident. Accordingly, a response must be prepared in the event of an accident.”
Under the current legal provisions, entities neglecting to report an incident could face fines of up to KRW10 million (USD7,500). The consequences intensify if the breach involves a personal information leak.
Under provisions of the Personal Information Protection Act, failure to report such incidents could result in fines of up to KRW30 million as well as criminal penalties including imprisonment for responsible parties.
However, again, there is no blanket provision on the time window in which the disclosure must be made.
“Laws pertaining to electronic financial transactions and medicine provide special regulations and reporting obligations regarding cyber incidents,” says Lee.
“As such, financial companies, electronic financial businesses and medical institutions must make reports as required under such laws and regulations.”
Singapore stands out
Singapore is a rare exception when it comes to imposing disclosure deadlines.
The Personal Data Protection Act (PDPA) in Singapore requires organisations to notify the Personal Data Protection Commission (PDPC) and affected individuals as soon as practicable if there is a data breach that is likely to significantly harm or impact the individuals concerned.
The PDPA was amended in 2020 to introduce mandatory data breach notification requirements, with organisations required to assess the breach and notify if it meets certain criteria, typically within 72 hours of assessment.
Fines for non-compliance can go up to SGD1 million (USD749,000) or 10% of the organisation’s annual turnover in Singapore, whichever is higher.
“The PDPC may also publish its decision that the organisation failed to comply with the PDPA, which may lead to negative publicity for the organisation,” says Lam Chung Nian, a partner at WongPartnership in Singapore.
The PDPA also provides for various offences relating to non-cooperation with the PDPC, he adds. “In the case of an individual, if convicted, they may be liable to be fined up to SGD10,000 and/or imprisoned for up to 12 months.”
The highest financial penalty imposed to date under the PDPA in a single decision amounted to a total of SGD1 million, comprising a SGD750,000 penalty imposed on a healthcare technology provider and a SGD250,000 penalty imposed on a healthcare provider.
“These financial penalties were imposed in 2019, before amendments to the PDPA in 2022, which increased the maximum financial penalty. Future financial penalties may be higher on account of the increased maximum quantum,” says Lam.
China, India, and 2 billion reasons
Cybersecurity incidents invite stricter scrutiny and harsher penalties if personal data is breached. By that standard, India and China – the world’s two most populous countries – are the biggest minefields for companies and their general counsel.
The Cybersecurity Law of China, effective from June 2017, requires network operators to take immediate measures to address cybersecurity incidents, mitigate the impacts, and file reports to the relevant authorities.
The Personal Information Protection Law, effective November 2021, further strengthens these requirements, especially concerning personal data protection, and sets out obligations for reporting breaches.
Penalties for non-compliance can be severe, including fines of up to CNY50 million (USD6.9 million) or 5% of the annual turnover of the previous year, whichever is higher.
Meanwhile, India’s approach to data protection is in a state of transition, with the Personal Data Protection Bill still under discussion.
The primary legal framework for cybersecurity incident reporting comes from the Information Technology Act, 2000, and the rules and guidelines issued by the Indian Computer Emergency Response Team (CERT-In).
However, if the proposed act is imposed without any changes, businesses in India would face the tiniest window in the world for incident disclosure.
As per the directions dated 28 April 2022, issued by CERT-In, a cyber incident must be reported to it within six hours of the service provider, intermediary, data centre, body corporate or government organisation becoming aware of it.
Failure to report the breach may result in both imprisonment of up to one year and a fine that may extend to INR10 million (USD121,000).
The evolution of legal provisions across the world shows that such tight deadlines and harsh penalties are usually imposed after landmark cases. No big penalty has been imposed on any entity in India so far, says Vikrant Singh Negi, a partner at DSK Legal in Mumbai.
“However, sometime in October 2023, the Ministry of Electronics and Information Technology sent a notice to Apple after the latter had warned iPhone customers in India that their devices may have been targeted in a ‘state-sponsored’ attack,” he adds.
“Given the sensitivity and complexity of the issue involved, the ministry reminded Apple that such security breaches are required to be reported to CERT-In within six hours of occurrence.”
You must be a
subscribersubscribersubscribersubscriber
to read this content, please
subscribesubscribesubscribesubscribe
today.
For group subscribers, please click here to access.
Interested in group subscription? Please contact us.
