Bloomberg Provides Snapshot of International Breach-Notification Risk

Thom Weidlich 04.20.17


Bloomberg Law has an interesting new report out on the different dangers in different countries from data-breach notification — as in, a company’s potential financial, criminal, and litigation exposure. It is a useful overview for communicators working to prevent crises, as it specifically mentions “incident preparedness and response” and highlights reputational risk.

The report, “Anticipating the Burden of Risk: Breach Notification Compliance,” was released yesterday and shows the 10 countries with the highest compliance risk when it comes to data-breach notification. In addition to criminal penalties and litigation, it looks at risk factors such as enforcement level and possible monetary penalties.

In terms of regulatory risk, the United States didn’t even make the top 10. Those countries are (in order): South Korea, Columbia, Mexico, France, Japan, Spain, Philippines, Belgium, Germany, and Hungary.

With its comparatively lax privacy laws, it’s not surprising the United States didn’t make the cut. And with its tough privacy laws, it’s also not surprising that Europe has five of the top 10 countries. (Bloomberg Law notes that despite European Union harmonization, countries maintain individual variations in their approaches to data-breach notification.)

Potential Imprisonment

Belgium is the only one of the 10 with no potential imprisonment and no private right of action. Germany has the highest potential criminal fine, at $11.6 million, while Colombia, Mexico, Spain, and Belgium have none. All 10 have high risks of enforcement.

Here are some other highlights from the report:

  • South Korea, at No. 1, has a rating of 83 out of a possible 100 points. Noting that the Asian country ranks high in other areas, the report cites “a fairly aggressive enforcement climate, potential criminal exposure, and relatively high potential financial exposure, particularly with regard to criminal penalties” (with a potential fine of $700,000). Privacy is strictly enforced. Lawsuits by victims are on the rise.
  • In France, data-protection agency the CNIL commonly gives companies public warnings to pressure them into complying with data-breach notification. The highest sanction in 2016 was €100,000 ($107,000) against Google. A new law, the French Digital Republic Act, took effect Oct. 7.
  • In Mexico, data-protection agency the INAI mostly enforces the Federal Law for the Protection of Personal Data reactively, relying on complaints from customers. In 2016, the INAI initiated 30 procedures, of which 22 resulted in economic sanctions totaling 50,611,145 pesos, or $2.68 million.

The report was released in conjunction with a new product available to Bloomberg Law subscribers that produces benchmark scores for 10 topics across more than 45 countries based on eight risk factors.

The tool, Compliance Risk Benchmarks, allows legal counsel and compliance professionals to plunge into data to gauge risk. Besides breach notifications, the 10 areas include employee health information, online privacy, and electronic marketing.

Photo Credit: Shutterstock

This is an abridged version of an article that appeared today on the CrisisResponsePro paid subscription portal. (CrisisResponsePro subscribers can access the full version by clicking here. ID and password are required.) To take advantage of all of the content, data, and collaborative resources CrisisResponsePro has to offer, contact us at

Related:Capital One Responds to Major Data BreachConsultant Targets Amazon’s Response to Bank Breach