Data misuse and data breaches are the two core risks of data security.  Data misuse can be prevented through strict legal regulations that ensure standardized data processing. However, data breaches are not entirely avoidable: they arise not only from internal risks but also frequently due to external attacks. Data breaches have always been a prominent topic in the field of data governance, akin to the Sword of Damocles hanging over enterprises. In China, as early as 2012, laws and regulations regarding data breaches were established. Important laws such as the "Cybersecurity Law", "Data Security Law", "Personal Information Protection Law", and "Regulations on Network Data Security Management" all involve the issue of data breaches.  The recently published draft amendments to the "Cybersecurity Law" also propose strict legal liabilities for large-scale data breach scenarios. However, data breaches have not ceased and continue to make headlines, setting new records in various statistical reviews and exacerbating data anxiety while remaining difficult to eradicate.

Despite continuous efforts by countries worldwide to advance data legislation and regulatory actions for data protection, data breaches have shown an upward trend globally over the past decade. The "Cost of a Data Breach 2024" report by IBM Security indicates that the global average cost of a data breach rose to $4.88 million in 2024, reaching a new historical high, presenting a 10% increase from 2023 and the largest increase since 2020. In 2020, according to the China Academy of Information and Communications Technology, the number of data breaches worldwide exceeded the total of the previous 15 years. At that time, data breaches have already became a pressing data security issue requiring resolution. The "Cost of a Data Breach 2024" report found that the highest data breach costs were in the healthcare, financial services, manufacturing, technology, and energy sectors, with healthcare companies paying the highest average cost for 14 consecutive years, averaging $9.77 million. The "2024 China Government and Enterprise Data Security Risk Research Report" by QiAnXin indicates that at least 47.16 billion data records were breached globally in 2024, a 354.3% increase compared to the 10.38 billion records in 2023. The report highlights that the IT industry, lifestyle services, and internet sectors are high-incidence areas for data security incidents globally, while in China, the internet, government and public institutions, manufacturing, healthcare, finance, and education sectors are the most affected.

It is worth reflecting on that despite the increasing awareness of data protection among the public and the growing investment by enterprises in data protection, the situation of data breaches has not improved but seems to be worsening. According to the "2024 Data Breach Investigations Report" by Verizon, vulnerabilities, ransomware, and human element are the main causes of data breaches. Verizon's reports over the years show that human elements were involved in 85% of data security incidents in 2021, 82% in 2022, and 74% in 2023. In 2024, Verizon adjusted its calculation metrics for human elements, excluding active malicious behaviors such as privilege abuse, but still found that non-malicious human errors were involved in 68% of data security incidents. There is still much work to be done in addressing "human factors" in data breaches. How to enhance data security awareness from the top management to the frontline employees and to more accurately recognize data breaches and take appropriate actions are the prerequisites and key aspects for enterprises to prevent data breaches.

Data breaches may seem like a complex issue, but the answer can be found within the concept itself. Literally, a data breach can be understood as the loss of data. However, it is crucial to note that due to the characteristics of data, such as replicability and non-exclusivity, a data breach does not necessarily mean traditional loss. Any unauthorized access, viewing, use, copying, or deletion of data, or even the mere existence of vulnerabilities that could lead to such unauthorized actions, constitutes a data breach.

Domestic data legislations in China have made various provisions for data breaches, with essentially consistent connotations but varying expressions. In fact, the connotation of "data breach" in data legislations extends beyond its literal meaning. The European Data Protection Board ("EDPB") in its "Guidelines 01/2021 on Examples regarding Data Breach Notification" and other related guidelines have pointed out that data breaches mainly take three typical forms: (1) breach of confidentiality, leading to unauthorized or accidental access or disclosure of personal information; (2) breach of integrity, resulting in unauthorized or accidental alteration of personal information; (3) breach of availability, causing personal information to be accidentally or unauthorizedly damaged or lost access.

Combining domestic and international regulations, the legal system targeting data breaches is consistent. It is not only a form of damage to the data itself but also a breach of security obligations, resulting in the loss of data security status. This damage includes the destruction, loss, alteration, unauthorized disclosure, or acquisition of personal data during transmission, storage, or other processing activities, thereby producing actual consequences of a breach. Therefore, data breaches are closely related to data security protection obligations. In a legal sense, data breaches refer to the disruption of data security status, which may be caused by the failure to fulfill data security protection obligations. It is important to note that there is not necessarily a causal relationship between the two. Some enterprises, despite taking appropriate security measures, still unfortunately experience data breaches. Therefore, data breach notification systems have been widely established in data legislations worldwide as an effective legal means to deal with data breaches.

The data breach notification system refers to the practice where enterprises, upon experiencing a data breach, are required to notify and report to affected users, regulatory authorities, and other relevant parties in a timely manner in accordance with relevant laws, regulations, and internal policies. Its main purpose is to protect users' privacy and data security, ensuring that affected users are promptly informed of the breach so that they can take necessary measures to mitigate losses and risks. Reporting to regulatory authorities help them better allocate resources to reduce the impact of data breaches. The  "Cost of a Data Breach 2024" report by IBM indicates that the involvement of law enforcement can reduce breach costs by more than 20% (nearly $1 million on average). Regulatory authorities can also stay informed about data breach incidents to enhance supervision and accountability.

The specific content requirements for notifications vary across different countries and regions, but they generally include the following five elements:

For instance, according to Article 57(1) of the "Personal Information Protection Law", where leakage, tampering, or loss of personal information occurs or may occur, a personal information processor shall immediately take remedial measures, and notify the authority performing personal information protection functions and the relevant individuals. The notice shall include the following matters: (1) The categories of personal information that is or may be leaked, tampered with, or lost, and the causes and possible harm of the leakage, tampering, or loss of the personal information; (2) Remedial measures taken by the personal information processor and measures the individuals can take to mitigate the harm; (3) The contact information of the personal information processor.

However, enterprises are inevitably concerned about the adverse consequences of notification, leading to strict legal liabilities. This is a significant emotional factor hindering the implementation of data breach notification systems and, conversely, contributes to data breaches continuously making headlines and escalating in severity. In fact, the design of data breach notification systems has fully considered this issue, and accurate application is needed in practice. According to the requirements of a standardized data breach notification system, enterprises that fulfill their notification obligations should not bear legal responsibility and can more effectively reduce losses for both themselves and users.

Data breaches are a type of cybersecurity incident. The "Administrative Measures for the Reporting of Cybersecurity Incidents (Exposure Draft)" by the Cyberspace Administration of China includes important data and personal information breaches. The EU also considers personal data breaches to be cybersecurity incidents. When a data breach occurs or is likely to occur, it directly triggers the notification obligation of enterprises. The relevant laws and regulations all stipulate the data breach notification system (except for the "Data Security Law"), requiring data processors to report to the competent authorities or users when a data breach occurs or is likely to occur.

Data breaches result in the loss of data security status, which is an outcome that data processors do not expect or is beyond their control. The EDPB's "Guidelines 9/2022 on Personal Data Breach Notification under GDPR, Version 2.0" points out that the result of a data breach is that the data controller cannot ensure the processing of personal data in accordance with Article 5 of the GDPR. Precisely because data breaches are difficult to completely avoid and pose significant data security risks, enterprises are required to have a notification obligation. The notification under the data breach notification system is not a form of self-surrender, nor is it asking enterprises to "prove their own guilt". Its core essence is to require enterprises to take action to notify, obtain guidance or resource support from the competent authorities, and avoid further losses to users and enterprises themselves.

In summary, all parties involved in data governance, including regulators, enterprises, and individuals, should not view the "data breach" itself as an illegal act. Otherwise, the data breach notification system would lose its meaning and feasibility. The data breach notification system is actually a separate obligation, independent of the data security protection obligations. This is rather difficult to understand and lacks specific industry practice in China, but it is crucial for accurately understanding the data breach notification system and the logical starting point for making it truly effective.

To specifically understand the independence of the data breach notification system, it is necessary to consider the four possible scenarios in practice: (1) fulfilling the data breach notification obligation and also fulfilling the data security protection obligation—no legal liability is assumed; (2) fulfilling the data breach notification obligation but failing to fulfill the data security protection obligation—no legal liability for failing to notify in the event of a breach, but legal liability for failing to fulfill the data security protection obligation; (3) failing to fulfill the data breach notification obligation but fulfilling the data security protection obligation—no legal liability for failing to fulfill the data security protection obligation, but legal liability for failing to notify; (4) failing to fulfill both the data breach notification obligation and the data security protectioligation—both legal liabilities for failing to notify and failing to fulfill the data security protection obligation are assumed.

The data breach notification system is independent because of the inherent risks of data breaches, which require sufficient resources to be mobilized in a short time to deal with security vulnerabilities and prevent more serious consequences. The data breach notification is essentially an information-sharing mechanism, and the source of the information is the enterprise. The data breach notification system should have separate legal liabilities (many data breach notification systems have separate legal liabilities) to prevent enterprises from worrying that notification will lead to adverse consequences for themselves and thus not taking action to notify. In fact, after the comprehensive implementation of the data breach notification system, the adverse effects of data breaches will be significantly reduced and become a routine social risk event, jointly dealt with by the government, enterprises, individuals, and professional third-party institutions, instead of falling into a non-beneficial cycle where enterprises passively expose themselves (or still have to deal with it on their own even if they are not exposed) and bear the risk consequences alone.

Most countries and regions have regulations on data breach notifications. For example, the GDPR of the EU requires that data controllers notify the regulatory authorities within 72 hours of discovering a data breach. According to the "Cost of a Data Breach 2024" report by IBM, the United States has the highest average cost of data breaches, at $9.36 million. The United States does not have a unified federal data breach notification law, but several industry-specific regulations involve data breach notification requirements. For example, the "Health Insurance Portability and Accountability Act" (HIPAA) requires covered entities to report to the Department of Health and Human Services in the event of a data breach and to notify affected individuals within 60 days of discovering the violation. If the breach affects 500 or more individuals, media notification is also required. The notification content includes a description of the violation event, the types of information involved, protective measures individuals should take, etc. The "Gramm-Leach-Bliley Act" (GLBA) applies to financial institutions and requires them to notify regulatory authorities and affected customers as soon as possible when customer information is accessed without authorization. The "Securities Act" requires publicly listed companies to disclose relevant information to the Securities and Exchange Commission in the event of a significant cyber incident.

While there is no unified federal data breach notification law, all 50 U.S. states, as well as the District of Columbia, have enacted their own data breach notification laws, mandating notification obligations when personal data breaches occur. Most state data breach notification laws require notification to affected individuals, and some states also require notification to state regulatory agencies or credit reporting agencies. Notification methods can include written, electronic, or substitute notifications (such as email, website postings, or media notices). For example, New York State enacted the "Information Security Breach and Notification Act" in 2005 and further amended it in 2019 with the "SHIELD Act". The SHIELD Act expanded the types of personal data covered (including biometric information, usernames, email address, and password credentials) and requires companies to implement technical safeguards to protect the security of personal data. Under the SHIELD Act, failure to provide timely notification may result in civil penalties of up to $20 per instance of failure to notify, with a maximum penalty of USD 250,000. Failure to maintain reasonable security measures may result in civil penalties of up to USD 5,000 per violation. California Civil Code Section 1798.29 also stipulates notification obligations in the event of a data breach, requiring notification as expeditiously as possible, without unreasonable delay. If a single data breach involves the personal information of 500 or more California residents, electronic notification to the California Attorney General is mandatory. Data breach notifications must be written in plain language and include the prominent heading "Notice of Data Breach". The notification content should include: (1) What Happened? (2) What Information Was Involved? (3) What We Are Doing? (4) What You Can Do? (5) For More Information.

Generally, data breach notifications are required to be completed as soon as possible. Most states require notification within 30 to 60 days of discovering a data breach, but there are some exceptions. For example, California clearly states that notification can be delayed if it would affect a criminal investigation. In November 2023, a serious data breach occurred in Long Beach, California, involving the sensitive personal information of more than 300,000 California residents. However, it was not until April 14, 2025, that Long Beach submitted a data breach notification. In addition, the US Office of the Comptroller of the Currency (the "OCC"), a division of the U.S. Department of the Treasury, was recently reported to have suffered a major intrusion into its email system, in which hackers spied on more than 100 accounts over the course of more than a year and potentially gained access to highly-sensitive information about the financial health of federally-regulated financial firms. The data breach was deemed a "major incident", but some banks did not learn of its extent and impact until it was reported in April. The incident has raised questions among the public and relevant financial institutions about the OCC’s response, safeguards, and data breach notification system.

In the development and maturation of the digital society, data breaches may be unavoidable. Whether a data breach occurs depends on the level of an enterprise's data security protection and is also a zero-sum game between attackers and defenders. Taking an absolutely prohibitive stance towards data breaches at the legal, regulatory, and public opinion levels may not necessarily achieve the desired effect. Fully recognizing the role of the data breach notification system and genuinely applying it to data security practices will be a crucial means of addressing data breaches in the future. For enterprises, compliance can be approached from two aspects.

It is recommended that enterprises enhance their data security awareness and ensure the effective implementation of data security protection obligations. Data security protection obligations require continuous investment and dynamic compliance and have a definitive effect within the data breach notification system—failure to comply with data security protection obligations makes it difficult to avoid legal liability. Therefore, it is necessary to diligently carry out enterprise data compliance work in accordance with laws and regulations such as the "Personal Information Protection Law" and the "Regulations on the Management of Network Data Security". In particular, considering the enterprise's own scale and nature, it is essential to implement legal requirements related to risk assessments, impact assessments, and emergency drills. Where feasible, actively seek support from competent authorities or professional third-party institutions to ensure compliance with mandatory data security protection obligations.

It is also recommended that enterprises benchmark against the data breach notification requirements in relevant laws and regulations, such as the "Administrative Measures for the Reporting of Cybersecurity Incidents (Exposure Draft)", to establish internal prevention, monitoring, and reporting mechanisms for data breaches. Simultaneously, it is crucial to promptly track the formulation and release of policy guidelines and standard guidelines related to data breach notifications, adjust compliance mindsets and approaches, and, when necessary, leverage the support of professional third-party institutions to actively utilize the data breach notification system to obtain administrative support and reduce losses for both the enterprise and users. It is worth noting that Article 59 of the "Regulations on the Management of Network Data Security" stipulates circumstances for lenient, mitigated, or no punishment. It is reasonable to interpret that data breach notification is not only a legal obligation but also a measure to actively eliminate or mitigate the harmful consequences of data security incidents, which is beneficial for relevant enterprises in reducing the risk of legal liability.

Source: King & Wood Mallesons