Privacy updates V1.10.2 and V1.10.3

This section lists the regulators and features that were updated in the Privacy solution.

We always appreciate feedback on current legislation and guidance whether it appears in our product or not. Contact your Customer Relationship Manager if you have any questions about these updates or suggestions for future updates. You can also use the IBM Community to see how your peers are using the Privacy solution to simplify the complex world of information security.

The following updates were added to IBM® Security QRadar SOAR in V1.10.2:
Regulator/Feature Description
Austria Updated the Resource Library. Specifically, adding relevant breach response provisions of Austria DSG. Fixed the broken link to the Guidance of Supervisory Authority in both “Notify Supervisory Authority (Austria)”and “Subsequent Supervisory Authority Notification (Austria)” tasks.
Bahrain This regulator was added to the Privacy Solution.
  • The Personal Data Protection Act, 2018 and Order No. (43) of 2022 Regarding the Conditions be Met in the Technical and Organizational Measures that Guarantee Protection of Personal Data (collectively “the Law”).
  • Region: Middle East
  • Requirements and Timing: Bahrain Law establishes rules relating to the protection of natural persons regarding the processing of personal data. In the case of a personal data breach, the data controller must notify Bahrain Personal Data Protection Authority no later than 72 hours after having become aware of a breach and notify affected individuals.
The new regulator includes the following tasks:
  • “Notify Affected Individuals (Bahrain)”
  • “Notify the Supervisory Authority (Bahrain)”
  • “Document Breach (Bahrain)”
  • “Investigation (Harm)”
EU: GDPR Fixed the broken link to Guidelines on Personal Data Breach Notification under Regulation 2016/679 (wp250rev.01) in the Resource Library.
U.S.: Illinois Updated data types to trigger notification tasks. Updated the language in the Notification tasks. Specifically, added permitted delays based on legal enforcement and/or investigations to the “Notify IL Consumers Individually” task; updated AG office email address for breach reporting and information recommended to be included in the notice to AG to the “Notify IL AG” task.
U.S.: Indiana Updated the language in the “Resource Library” and “Notify IN Consumers Individually” task. Specifically, added language to reflect the forty-five (45) days notification timeline provided in the latest amendment to Indiana breach notification law.
U.S.: Kentucky Updated the language in the Notification tasks. Specifically, added the record count threshold in “Notify Credit Bureaus (KY)”task.
U.S.: Maine Updated the language in the notification tasks. Specifically, added language to reflect the record count threshold (1000 or more) required to trigger the “Notify Credit Bureaus (ME)” task. Also updated/fixed the links to “Maine Security Breach Reporting Form”, etc., in the “Notify MEDPFR or AG” task.
U.S.: Minnesota Updated the language in the notification tasks. Specifically, added language to reflect the number of individuals (500 or more) that must be affected by a data breach incident to trigger the “Notify Credit Bureaus (MN)” task; and updated the “Notify MN Consumers Individually” task to include permitted delays based on legal enforcement and/or investigations.
U.S.: Montana Updated the language in the “Notify MT Consumers Individually” task to include permitted delays based on legal enforcement and/or investigations.
U.S.: New Jersey Updated the language in the notification tasks. Specifically, added language to reflect the record count threshold (1000 or more) required to trigger the “Notify Credit Bureaus (NJ)” task; updated the language in the “Notify NJ Consumers Individually” task to include permitted delays based on legal enforcement and/or investigations; and updated the New Jersey Police Department contact details in the “Notify NJ State Police” task.
U.S.: Oregon Updated data types to trigger notification tasks. Also updated the logic to trigger notification task for Oregon’s special set of personal data where personal data other than FN, FI, or LN is selected and then in the “Further Analysis for Notification” task, yes is selected for Impact Likely.
The following updates were added in IBM Security QRadar SOAR in V1.10.3:
Regulator/Feature Description
E.U. GDPR

Created a separate "Assess the Risk (Europe)" task for regulators subject to GDPR and UK GDPR and changed the time-frame to "immediately" as the deadline for notifying the supervisory authority is only 72 hours after the risk level is determined under the GDPR and UK GDPR.

Ghana

Updated the contact details of the Ghanian Data Protection Commission in the "Notify Data Protection Commission (Ghana)" task.

Hong Kong

Updated the link to the Cap. 486 Personal Data (Privacy) Ordinance in the Tool Tip; updated language in the "Notify the Privacy Commissioner of Hong Kong" task. Specifically, updated the notice methods and the contact information of the Privacy Commissioner of Hong Kong.

North Macedonia

Changed the time-frame of "Assess the Risk (North Macedonia)" task to "immediately" as the deadline for notifying the supervisory authority is only 72 hours after the risk level is determined. Changed the time-frame of "Document the Breach (North Macedonia)" from "immediately" to "15 days" as immediate completion of documentation is not required. Revised the language of the Tool Tip to be less legalese.

Portugal

Updated the link to the breach reporting form of the CNPD in the "Notify Supervisory Authority (Portugal)" task.

Romania

Added the link to the English version of the Law No. 190 of 18 July 2018 in the Resource Library. Updated the link to the breach reporting form of the supervisory authority in the "Notify Supervisory Authority (Romania)" task.

San Marino

Changed the time-frame of "Assess the Risk (San Marino)" task to "immediately" ** as the deadline of notifying the supervisory authority is only 72 hours after the risk level is determined. Updated the links to the Law No. 171 of 21 December 2018 Protection of Natural Person with regard to the Processing of Personal Data in both the Resource Library and the Tool Tip. Updated the link to the breach reporting form and the contact information of the DPA in the "Notify DPA (San Marino)" task. Revised the language of the Tool Tip to be less legalese.

U.S. Alabama

Updated logic to include Health Insurance Identification Number as a data type. Also updated language to notification tasks by adding language to reflect the number of individuals (more than 1000) that must be affected by a data breach incident to trigger the "Notify AG (AL)" and the "Notify Credit Bureaus" tasks. Also updated the "Notify AL Consumers Individually" task to include permitted delays based on legal enforcement and/or investigations.

U.S. Alaska

Updated language to notification tasks. Specifically, added language to reflect the number of individuals (more than 1000) that must be affected by a data breach incident to trigger the "Notify Credit Bureaus (HI)" task. Also updated the "Notify AK Consumers Individually" task to reflect permitted delays based on legal enforcement and/or investigations and the statutory requirement for customers to investigate, determine and where applicable, document harm suffered by affected individuals before disclosing a data breach incident.

U.S. Hawaii

Updated language to notification tasks. Specifically, added language to reflect the number of individuals (more than 1000) that must be affected by a data breach incident to trigger the "Notify HI Office of Consumer Protection" and the "Notify Credit Bureaus" tasks. Also updated the "Notify HI Consumers Individually" task to include permitted delays based on legal enforcement and/or investigations.

U.S. Mexico

Updated the link to the Federal Law on the Protection of Personal Data Held by Private Parties in both the Resource Library and Tool Tip. Update the language of the "Notify Affected Individuals (Mexico)" task. Specifically, removing "payments or eligibility for insurance coverage" from the required notification content as it is not stipulated in the law.

U.S. Michigan

Updated logic to trigger only HIPPA/HITECH preemption notification tasks where HIPPA/HITECH is selected; added language to reflect the number of individuals (more than 1000) that must be affected by a data breach incident to trigger the "Notify Credit Bureaus" tasks and updated the "Notify MI Consumers Individually" task to include permitted delays based on legal enforcement and/or investigations.

U.S. Minnesota

Fixed a bug by updating language to the "Notify Credit Bureaus" task to reflect the correct number of individuals (more than 500) that must be affected by a data breach incident to trigger the notification task.