This chapter covers the incident reporting requirements under the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), two of the most critical regulatory frameworks for cybersecurity professionals. For the CS0-003 exam, understanding the specific timelines, thresholds, and notification obligations is essential, as questions on regulatory compliance appear in approximately 10-15% of the exam, particularly in Domain 4 (Reporting and Communications). This chapter will equip you with the precise details needed to answer scenario-based questions on breach notification, including the 72-hour GDPR deadline, HIPAA's 'without unreasonable delay' standard, and the nuances of personal data versus protected health information.
Jump to a section
Imagine a large office building with two distinct fire alarm systems: one for the European headquarters (GDPR) and one for the US medical wing (HIPAA). Both systems detect smoke (breach) and trigger alarms, but they have different reporting requirements. The GDPR system requires that within 72 hours of detection, the fire marshal (Supervisory Authority) must be notified with a detailed report of the fire's cause, affected floors, and evacuation status. If the report is late, the building faces fines up to 4% of annual rent. The HIPAA system, on the other hand, requires immediate notification to the hospital's privacy officer if more than 500 patients are affected, plus a log entry for smaller fires. The building manager (Security Team) must document every alarm, including false ones, and retain logs for six years. Both systems share a common incident response plan: first, verify the fire (confirm the breach), then contain it (isolate affected systems), then assess damage (determine data affected), and finally notify the appropriate authorities. The key difference is timing and detail: GDPR demands a fixed 72-hour window for external notification, while HIPAA has a tiered approach based on the number of patients. Misunderstanding these deadlines is like confusing a fire drill with a real fire—both require action, but the consequences and urgency differ.
Introduction to GDPR and HIPAA Incident Reporting
Both GDPR and HIPAA impose mandatory breach notification requirements on organizations that process personal data (GDPR) or protected health information (HIPAA). While the underlying goal is to protect individuals' privacy, the specific rules differ significantly. The CS0-003 exam tests your ability to apply these rules in real-world scenarios, often asking which regulation applies based on data type and geography, and what the notification timeline is.
GDPR Breach Notification Requirements
The GDPR, effective May 25, 2018, applies to any organization processing personal data of individuals in the European Union (EU), regardless of where the organization is based. Key definitions: - Personal data: Any information relating to an identified or identifiable natural person (data subject). This includes names, email addresses, IP addresses, health data, etc. - Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
Notification to Supervisory Authority (SA): - Timeline: Must be notified *without undue delay* and, where feasible, not later than 72 hours after becoming aware of the breach. If not feasible, a reasoned justification must be provided. - Content of notification: Must include:
- Nature of the breach (categories and approximate number of data subjects and records concerned) - Name and contact details of the Data Protection Officer (DPO) or other contact point - Likely consequences of the breach - Measures taken or proposed to address the breach and mitigate its effects - Exceptions: If the breach is unlikely to result in a risk to the rights and freedoms of natural persons, notification is not required. However, the breach must still be documented internally.
Notification to Data Subjects: - When required: When the breach is likely to result in a high risk to the rights and freedoms of natural persons. - Timeline: Must be communicated *without undue delay*. - Content: Similar to SA notification but must be in clear and plain language. - Exceptions: If data were encrypted (and key not compromised), or if subsequent measures have rendered the high risk unlikely to materialize.
Documentation: The controller must document all breaches, including facts, effects, and remedial actions taken, to enable the SA to verify compliance.
HIPAA Breach Notification Requirements
The HIPAA Breach Notification Rule, effective September 23, 2009, applies to covered entities (health plans, healthcare clearinghouses, healthcare providers) and their business associates. Key definitions: - Protected Health Information (PHI): Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form (electronic, paper, oral). - Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI. - Exception: There is a low probability that PHI has been compromised based on a risk assessment considering: 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether the PHI was actually acquired or viewed 4. The extent to which the risk to the PHI has been mitigated
Notification to Affected Individuals: - Timeline: Must be notified without unreasonable delay and in no case later than 60 calendar days from discovery of the breach. - Content: Must include:
- Brief description of the breach - Types of PHI involved - Steps individuals should take to protect themselves - Brief description of what the covered entity is doing to investigate, mitigate, and prevent future breaches - Contact information for the covered entity - Method: Written notice by first-class mail, or email if agreed to. If insufficient contact information, substitute notice via web posting or print/broadcast media.
Notification to Secretary of HHS: - For breaches affecting 500+ individuals: Must be notified without unreasonable delay and in no case later than 60 calendar days from discovery. - For breaches affecting fewer than 500 individuals: Must be logged and reported to the Secretary annually within 60 days of the end of the calendar year.
Notification to Media: - For breaches affecting 500+ individuals: Must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and within 60 calendar days.
Business Associate Obligations: Business associates must notify the covered entity of a breach within 60 calendar days of discovery.
Key Differences Between GDPR and HIPAA
| Aspect | GDPR | HIPAA | |--------|------|-------| | Trigger | Personal data breach (any type) | Breach of PHI (health data) | | Risk threshold | High risk to rights and freedoms triggers data subject notification | Low probability of compromise determines if breach occurred | | Timeline for authority | 72 hours | 60 days (for 500+ individuals) | | Timeline for individual | Without undue delay | 60 days | | Documentation | Must document all breaches | Must document breaches affecting <500 individuals annually | | Penalties | Up to 4% of annual global turnover or €20 million (whichever greater) | Up to $1.5 million per violation per year (tiered based on culpability) |
Common Exam Scenarios
Scenario 1: A US hospital accidentally emails PHI to the wrong patient. This triggers HIPAA. The hospital must notify the affected patient within 60 days. If more than 500 patients were affected, also notify HHS and media.
Scenario 2: A EU-based e-commerce site suffers a data breach exposing customer names and credit card numbers. This is a GDPR breach. The company must notify the supervisory authority within 72 hours and notify affected customers if high risk.
Scenario 3: A US company processes data of EU residents. Even though the company is in the US, GDPR applies. The company must comply with GDPR breach notification rules.
Interaction with Incident Response
Both regulations require that breach notification be part of the incident response plan. Key steps: - Detection: Identify that a breach has occurred. - Assessment: Determine the type of data involved and the number of affected individuals. - Risk evaluation: For GDPR, assess risk to rights and freedoms; for HIPAA, assess probability of compromise. - Notification: Prepare and send notifications within required timelines. - Documentation: Record all actions taken.
Penalties and Enforcement
GDPR: Fines up to 4% of annual global turnover or €20 million, whichever is higher. Factors include nature, gravity, duration, intent, mitigation, and previous infringements.
HIPAA: Civil monetary penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. Criminal penalties can include imprisonment.
Detect and Confirm Breach
The incident response team identifies a potential breach through monitoring, alerts, or user reports. For GDPR, 'becoming aware' occurs when the controller has a reasonable degree of certainty that a breach has occurred. For HIPAA, 'discovery' is the first day the breach is known or would have been known through reasonable diligence. The team must confirm the breach and gather initial details: what data was involved, how many records, and the nature of the incident.
Assess Data Type and Jurisdiction
Determine if the data is personal data (GDPR) or PHI (HIPAA). For GDPR, check if data subjects are in the EU. For HIPAA, check if the entity is a covered entity or business associate. This step determines which regulation applies. If both apply (e.g., EU health data processed by a US hospital), both regulations must be satisfied—the more stringent timeline (GDPR's 72 hours) takes precedence.
Evaluate Risk and Threshold
For GDPR, assess whether the breach poses a risk to rights and freedoms (e.g., identity theft, discrimination). If high risk, notify data subjects. For HIPAA, perform a four-factor risk assessment to determine if there is a low probability that PHI has been compromised. If the probability is low, the breach is not reportable. Otherwise, proceed with notification.
Notify Appropriate Authorities
For GDPR, notify the lead supervisory authority within 72 hours of awareness. If not feasible, provide a reasoned delay. For HIPAA, notify the HHS Secretary within 60 days for breaches affecting 500+ individuals; for smaller breaches, log and report annually. Also notify affected individuals within 60 days (HIPAA) or without undue delay (GDPR). For HIPAA, if 500+ individuals are affected, notify media.
Document and Remediate
Both regulations require documentation of the breach, including root cause, actions taken, and notifications sent. For GDPR, maintain a breach register. For HIPAA, document the risk assessment and any notifications. Remediation steps must be implemented to prevent recurrence. Retain records for at least six years (HIPAA) or as required by the supervisory authority (GDPR).
Scenario 1: Multi-National Healthcare Organization
A global healthcare provider with operations in the EU and US experiences a ransomware attack that encrypts patient records. The incident response team must determine which regulations apply: GDPR for EU patients, HIPAA for US patients. The team works in parallel: for EU patients, they notify the relevant supervisory authority within 72 hours and assess high risk to data subjects (e.g., if records included financial info). For US patients, they perform a four-factor risk assessment; because the data was encrypted and the key was not compromised, they determine low probability of compromise and decide not to notify individuals, but log the breach. They notify HHS within 60 days because fewer than 500 US patients were affected. The organization also faces potential fines from both regulators if timelines are missed.
Scenario 2: US-Based SaaS Provider with EU Customers
A US-based cloud service provider stores personal data of EU residents. A misconfigured S3 bucket exposes names, email addresses, and hashed passwords. The provider becomes aware on day 1. Under GDPR, they must notify the supervisory authority by day 4 (72 hours). They also assess high risk because passwords could be cracked, so they notify data subjects via email. They document the breach and implement additional access controls. Since they are not a covered entity under HIPAA (no PHI), only GDPR applies. Common mistake: assuming US companies are only subject to US laws—GDPR has extraterritorial reach.
Scenario 3: Small Clinic with PHI Breach
A small dental clinic loses a laptop containing unencrypted PHI of 200 patients. The clinic discovers the loss on Monday. Under HIPAA, they must notify affected individuals within 60 days (by the following Monday + 60 days). They must also notify HHS within 60 days because fewer than 500 individuals are affected (annual report due by end of year). They perform a risk assessment: the laptop was password-protected but not encrypted, so there is not a low probability of compromise. They send written notices via first-class mail. Common pitfall: assuming that because the laptop was password-protected, it is not a breach—HIPAA requires encryption or equivalent safeguard to avoid notification.
CS0-003 Objective 4.2: Given a scenario, apply the appropriate incident response and communication procedures.
This objective includes regulatory compliance considerations. The exam tests your ability to:
Identify which regulation applies based on data type and jurisdiction.
Apply the correct notification timeline.
Determine when notification is required (risk assessment).
Recognize exceptions and special cases.
Common Wrong Answers and Why They Are Wrong
'Notify within 72 hours for HIPAA' – This is the GDPR timeline. HIPAA uses 'without unreasonable delay' and 60 days. Candidates confuse the two because both involve breach notification.
'Notify all affected individuals immediately for any breach' – Both regulations have exceptions. GDPR does not require individual notification if risk is low; HIPAA does not require notification if probability of compromise is low.
'HIPAA requires notification within 60 days of discovery for all breaches' – For breaches affecting fewer than 500 individuals, notification to HHS is annual, but individual notification still within 60 days.
'GDPR applies only to EU-based companies' – GDPR applies to any organization processing personal data of EU residents, regardless of location.
Specific Values and Terms Tested
GDPR: 72 hours, 'without undue delay', 'high risk to rights and freedoms', supervisory authority, DPO.
HIPAA: 60 calendar days, 'without unreasonable delay', 'low probability of compromise', four-factor risk assessment, HHS Secretary, media notification for 500+.
Penalties: GDPR up to 4% of annual global turnover or €20 million; HIPAA up to $1.5 million per violation per year.
Edge Cases
Simultaneous applicability: If a breach involves both EU personal data and US PHI, both regulations apply. The more stringent timeline (GDPR's 72 hours) governs.
Encrypted data: Under GDPR, if data is encrypted and key not compromised, risk may be low, but notification may still be required if other factors exist. Under HIPAA, encryption can render the probability of compromise low.
Third-party breaches: If a business associate suffers a breach, they must notify the covered entity under HIPAA. Under GDPR, the processor must notify the controller.
How to Eliminate Wrong Answers
Look for timeline keywords: 72 hours triggers GDPR; 60 days triggers HIPAA.
Look for data type: 'health information' or 'PHI' indicates HIPAA; 'personal data' or 'EU residents' indicates GDPR.
Look for notification recipient: 'supervisory authority' is GDPR; 'HHS Secretary' is HIPAA.
If the question asks about notification to individuals and mentions 'high risk', it's GDPR; if it mentions 'low probability', it's HIPAA.
GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach.
HIPAA requires notification to affected individuals within 60 calendar days of discovery of a PHI breach.
Under HIPAA, breaches affecting 500+ individuals require notification to HHS and media within 60 days.
Under HIPAA, breaches affecting fewer than 500 individuals must be logged and reported to HHS annually.
GDPR data subject notification is required only if the breach poses a high risk to rights and freedoms.
HIPAA's four-factor risk assessment determines if a breach has a low probability of compromise, which can exempt notification.
Both regulations require documentation of breaches and remedial actions.
GDPR applies extraterritorially—any company processing EU personal data must comply.
Maximum GDPR fines are up to 4% of annual global turnover or €20 million; HIPAA fines up to $1.5 million per violation per year.
When both regulations apply, the more stringent timeline (GDPR's 72 hours) should be followed.
These come up on the exam all the time. Here's how to tell them apart.
GDPR
Applies to any organization processing personal data of EU residents.
Notification to supervisory authority within 72 hours of awareness.
Data subject notification only if high risk to rights and freedoms.
Maximum fine: 4% of annual global turnover or €20 million.
Document all breaches in an internal register.
HIPAA
Applies to covered entities and business associates handling PHI in the US.
Notification to HHS within 60 days for breaches affecting 500+ individuals.
Individual notification within 60 days regardless of risk (unless low probability of compromise).
Maximum civil penalty: $1.5 million per violation per year.
Document breaches affecting <500 individuals for annual report.
Mistake
HIPAA requires notification within 72 hours of a breach.
Correct
HIPAA requires notification without unreasonable delay and no later than 60 calendar days. The 72-hour timeline is from GDPR.
Mistake
GDPR only applies to companies based in the European Union.
Correct
GDPR applies to any organization that processes personal data of individuals in the EU, regardless of the organization's location.
Mistake
If data is encrypted, no breach notification is needed under HIPAA.
Correct
Encryption is a factor in the four-factor risk assessment. If the encryption is strong and the key not compromised, it may lead to a low probability of compromise, but it is not an automatic exemption.
Mistake
Under GDPR, you must notify both the supervisory authority and data subjects within 72 hours.
Correct
Only the supervisory authority must be notified within 72 hours. Data subjects must be notified without undue delay if the breach poses a high risk, but there is no specific 72-hour deadline for individual notification.
Mistake
A breach of fewer than 500 individuals under HIPAA does not need to be reported at all.
Correct
Breaches affecting fewer than 500 individuals must be logged and reported to HHS annually within 60 days of the end of the calendar year.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The deadline is 72 hours after becoming aware of the breach. If not feasible, a reasoned justification must be provided. This is one of the most critical numbers tested on the CS0-003 exam.
Yes, if a breach affects 500 or more individuals, the covered entity must notify prominent media outlets serving the state or jurisdiction. This must be done without unreasonable delay and within 60 calendar days.
It assesses the probability that PHI has been compromised by considering: (1) the nature and extent of PHI involved, (2) the unauthorized person who used or received the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated. If the probability is low, the breach is not reportable.
Yes, if the breach involves both EU personal data and US PHI. The company must comply with both regulations and could face penalties from both regulators. The more stringent requirements (e.g., GDPR's 72-hour notice) should be followed.
The notification must include: the nature of the breach (categories and approximate number of data subjects and records), contact details of the DPO, likely consequences, and measures taken or proposed to address the breach. This is a common exam point.
A business associate must notify the covered entity within 60 calendar days of discovery of the breach. The covered entity then has 60 days from that notification to notify individuals and HHS.
'Without undue delay' is a flexible standard meaning as soon as possible under the circumstances. 'Within 72 hours' is a fixed deadline. GDPR uses both: the supervisory authority must be notified within 72 hours, but data subjects must be notified without undue delay. HIPAA uses 'without unreasonable delay' with a 60-day cap.
You've just covered GDPR and HIPAA Incident Reporting — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?