European Union Braces for Liability Shift for Data Breaches

In 2015, Morrisons, Britain's No. 4 supermarket group, suffered a data breach, caused by a senior employee.

The disgruntled employee used his position to steal personal data, (including names, addresses, dates of birth, bank account details, salaries and national insurance numbers) of nearly 100,000 of his colleagues, which he disclosed in several ways, including sending the data to several newspapers and publishing part of it on the Internet.

The employee was found guilty of fraud the same year and sentenced to eight years in prison.

Last December, Justice Brian Langstaff, head of Employment Appeals Tribunal, ruled that Morrisons was "vicariously liable for the leak of its employees' data."

While the company acted quickly following the breach to get the data taken down and spent a considerable sum of money to protect the affected employees, the judge ruled that the company was responsible for the actions of its employee, on the basis that the company deliberately entrusted him with access to confidential information.

Since the full implementation of the European General Data Protection Regulation (GDPR) in May this year there has been much confusion about the responsibility of companies in collecting and processing data in case of a data breach.

The GDPR is a complex piece of legislation and, despite many critics from different sectors, has been praised as the most comprehensive data protection framework in the world that gives back to people some control over how their personal and activity data is being recorded and processed.

Because most of our daily activities have a digital footprint, the collection and processing of data from those activities are both beneficial and dangerous to the user. Under the GDPR, a data subject (the person whose data is collected) has the right to know in advance what, when, how, and where his or her personal information is being collected and processed. He or she can accept or refuse the use of that data, and has the possibility of changing consent at any time.

To provide that level of control to the data subject, the GDPR makes anyone with access to personal data liable in cases of misuse of that data.

According to the legislation, there are two different organizations responsible for safeguarding the information collected from data subjects: the data controllers and the data processors.

Data processors are any technology companies providing data transmission, storage, analytics and any other type of data-processing services. Companies such as Internet service providers (ISPs), cloud vendors and hosting companies can be classified as data processors under the GDPR.

Data controllers are the organizations or individuals collecting information from data subjects to provide a service and/or process information with such data. They are the ones ultimately responsible for fair data use and protecting the data collected. E-commerce companies, utilities, transit operators and hospitals are some examples of data controllers.

Obviously, data controllers require the services of data processors to acquire and process the information. Unless an ISP is the data controller and uses only its internal infrastructure to collect and process data, the organization needs some form of external processing to conduct data services.

The issue of liability
Under the GDPR, data controllers are the ones ultimately responsible for protecting personal data. The regulation contains several pages describing data controllers' responsibility, the measures they need to take to safeguard and minimize the collection of data and the hefty fines that can be levied against them in case of breaches or misuse of the information collected.

Since data controllers are likely to use some external services for the transmission, storage and processing of some or all the data they handle, what happens when one of the data processors is at risk or suffers a breach? Is the data controller off the hook? Are they sharing responsibility and are both subject to punishment?

It would be illogical to make data controllers responsible for all possible breaches that could happen outside of their organization. If a cloud service such as Amazon AWS or Google Cloud is compromised, there could be hundreds if not thousands of organizations affected.

However, data controllers are responsible for ensuring that the companies they contract to handle their data, especially personally identifiable data, use the highest level of security, including encryption and anonymization, to protect such data.

Additionally, data controllers need to have some measures in place to minimize the risk of personal data being compromised in case their data processors fail to protect it adequately. Moreover, in the case of one of their data processors suffering a breach or disclosing some of their data, they need to inform the data subjects of such occurrence as soon as they know about it.

Liability shift is coming
One of the paradoxes of most data protection legislation, including the GDPR, is that companies do not necessarily suffer directly from a data breach involving customer data.

While it is true that the GDPR has set a series of fines for non-compliance, starting at €20 million ($24 million) and up to 4% of the global revenue of a company, there are also several mechanisms to reduce and ultimately avoid the fines.

That leaves customers (the data subjects) unprotected if the data controller can demonstrate that they acted in good will and took "reasonable provisions" to protect personal data.

Several EU governments are starting to draft legislation to correct that. Legislators in countries such as the UK believe that the ultimate responsibility to compensate consumers for any damages lies in the data controllers, regardless of the cause of the breach.

One of the emerging considerations is whether the GDPR provisions -- such as Article 80 -- open the door to class action-style privacy cases. The UK case mentioned at the beginning of this article is one of the first of those.

According to the Irish law firm William Fry, "Article 80 of the GDPR introduces a collective action mechanism whereby not-for-profit bodies dedicated to personal data protection can initiate claims on behalf of data subjects who allege their rights have been infringed. In theory, this provision should enhance the protections GDPR affords to data subjects by giving authorised associations in each Member State the power to consolidate claims and represent them on a larger scale."

Many businesses are concerned that the financial ramifications of GDPR from data-subject claims may be even more severe than the threat from GDPR's well-publicized administrative fines.

Organizations need to ensure they have in place a robust data-breach response plan to deal with the consequences of a data breach quickly -- and limit any financial damage or distress of individuals concerned. They also need to review insurance policies to ensure they cover liability under any class or collective action.

Related posts:

— Pablo Valerio is a technology writer whose articles have appeared in numerous publications.