On December 15, 2022, Thailand’s Personal Data Protection Committee (PDPC) issued the Notification on the Criteria and Procedures for Handling Personal Data Breaches.
What Constitutes a “Data Breach”?
A “personal data breach” refers to a breach of security measures that causes unlawful or unauthorized loss, access, use, modification, or disclosure of personal data, resulting from an intentional, willful, negligent, accidental, unauthorized, or unlawful act, or an act related to computer crimes, cyber threats, mistakes or accidents, or any other act. The notification also classifies personal data breaches into three categories: confidentiality breach, integrity breach, and availability breach.
Upon being informed of an actual or suspected personal data breach, a data controller must take the following actions:
- To the extent possible, assess the reliability of the information and investigate the facts related to the personal data breach, including all aspects concerning security measures, such as organizational measures, technical measures, and physical measures;
- Conduct a data breach assessment to consider whether the personal data breach is likely to result in a risk to an individual’s rights and freedom;
- Notify the Office of the PDPC, any affected data subjects, or both as required; and
- Take necessary and appropriate action to prevent further consequences resulting from the personal data breach.
Breach Assessment
When conducting a data breach assessment, the following factors must be taken into account if there is a risk to an individual’s rights and freedom.
- Nature and the type of data breach;
- Nature, type, and volume of personal data involved;
- Nature, type, and status of the affected data subject;
- Severity of the consequences of the personal data breach for any affected data subjects, and the effectiveness of the measures taken to prevent the data breach;
- Impact of the data breach on the operation of the business or on the public;
- Storage systems of the personal data involved and the relevant security measures, including organizational measures, technical measures, and physical measures; and
- Legal status of the data controller (i.e., individual or a corporate entity) and the scale and nature of its business.
Assessment Guidelines
On December 16, 2022, the PDPC issued its Guidelines on Data Breach Assessments and Personal Data Breach Notifications (Version 1.0), which provides samples of risk assessments to determine whether the Office of the PDPC and/or the data subject has to be notified of a personal data breach. While the PDPC Notification on the Criteria and Procedures for Handling Personal Data Breaches is binding on data controllers, the guidelines are merely aimed at providing guidance to data controllers when assessing the risk associated with the personal data breach.
Notifying the Office of the PDPC
When a personal data breach occurs, the data controller must notify the Office of the PDPC “without delay”—that is, within 72 hours of becoming aware of the breach—unless the personal data breach does not have any risk of affecting the rights and freedom of an individual (such as a lost USB drive with encrypted personal data or a temporary suspension of a call center system causing a brief service interruption). Although there is no mandated notification form, the notification must include the information required by the PDPC Notification mentioned above, such as nature of the breach, type and volume of records of personal data involved, the data protection officer’s contact information, possible impacts, and remedial actions.
It is also permissible to notify the Office of the PDPC of the breach by letter, in person, or via an electronic channel (to be further specified by the PDPC).
Notifying Data Subjects
Where the data breach has a high risk of affecting the rights and freedoms of an individual, the data controller must also notify the data subject without undue delay after becoming aware of the personal data breach. The information contained in the notification must be at least as required by the notification (e.g., nature of the breach, data protection officer’s contact information, possible impacts, remedial actions, and any other additional actions that the data subjects should undertake to prevent or control further damage, if any).
If it is not possible for the data controller to notify the affected data subjects individually in writing or via electronic means. Alternatively, the breach notification may be made by other means, such as a public notification.
Data Processor Obligations
Data processors must notify the data controller of the personal data breach without undue delay after becoming aware of the breach. The data controllers must set in its agreement with data processors a stipulation that the data processor is to notify the data controller within 72 hours of becoming aware of a personal data breach.
Punitive Damages and Possible Class Action Lawsuits
Under the Personal Data Protection Act B.E. 2562 (2019), data controllers and data processors can be ordered to pay actual damages plus punitive damages of up to two times the court-awarded actual damages. The amount of punitive damages depends on the severity of the breach, personal gain or benefit, and the financial status of the controller or processor. The court will also consider the steps the controller or processor took after the breach occurred, and whether the data subject contributed to the breach.
As a data breach, by its nature, may affect many individuals, class actions or mass litigation are possible. If a data subject can satisfy the court of the prerequisites, such as the number of members, the commonality and typicality of the matter, and his or her ability to adequately represent the class members, the data subject can request that the complaint represent other data subjects as well. A judgment rendered in a class action case could provide every class of member the right to claim without being initially involved as a party in the case. Alternatively, data subjects could potentially gather and jointly file complaints for damages. This potentially magnifies the possibility of litigation for data breach matters.