Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //


09:05 AM
Pablo Valerio
Pablo Valerio
News Analysis-Security Now
Connect Directly
E-Mail vvv

European Union Braces for Liability Shift for Data Breaches

There are moves in the EU to introduce a change in liability for consumers who fall victim to data breaches, and other initiatives may follow. These would correct a longstanding cybersecurity moral hazard: that companies do not necessarily suffer directly from a data breach involving customer data.

In 2015, Morrisons, Britain's No. 4 supermarket group, suffered a data breach, caused by a senior employee.

The disgruntled employee used his position to steal personal data, (including names, addresses, dates of birth, bank account details, salaries and national insurance numbers) of nearly 100,000 of his colleagues, which he disclosed in several ways, including sending the data to several newspapers and publishing part of it on the Internet.

The employee was found guilty of fraud the same year and sentenced to eight years in prison.

Last December, Justice Brian Langstaff, head of Employment Appeals Tribunal, ruled that Morrisons was "vicariously liable for the leak of its employees' data."

While the company acted quickly following the breach to get the data taken down and spent a considerable sum of money to protect the affected employees, the judge ruled that the company was responsible for the actions of its employee, on the basis that the company deliberately entrusted him with access to confidential information.

Since the full implementation of the European General Data Protection Regulation (GDPR) in May this year there has been much confusion about the responsibility of companies in collecting and processing data in case of a data breach.

The GDPR is a complex piece of legislation and, despite many critics from different sectors, has been praised as the most comprehensive data protection framework in the world that gives back to people some control over how their personal and activity data is being recorded and processed.

Because most of our daily activities have a digital footprint, the collection and processing of data from those activities are both beneficial and dangerous to the user. Under the GDPR, a data subject (the person whose data is collected) has the right to know in advance what, when, how, and where his or her personal information is being collected and processed. He or she can accept or refuse the use of that data, and has the possibility of changing consent at any time.

To provide that level of control to the data subject, the GDPR makes anyone with access to personal data liable in cases of misuse of that data.

According to the legislation, there are two different organizations responsible for safeguarding the information collected from data subjects: the data controllers and the data processors.

Data processors are any technology companies providing data transmission, storage, analytics and any other type of data-processing services. Companies such as Internet service providers (ISPs), cloud vendors and hosting companies can be classified as data processors under the GDPR.

Data controllers are the organizations or individuals collecting information from data subjects to provide a service and/or process information with such data. They are the ones ultimately responsible for fair data use and protecting the data collected. E-commerce companies, utilities, transit operators and hospitals are some examples of data controllers.

Obviously, data controllers require the services of data processors to acquire and process the information. Unless an ISP is the data controller and uses only its internal infrastructure to collect and process data, the organization needs some form of external processing to conduct data services.

The issue of liability
Under the GDPR, data controllers are the ones ultimately responsible for protecting personal data. The regulation contains several pages describing data controllers' responsibility, the measures they need to take to safeguard and minimize the collection of data and the hefty fines that can be levied against them in case of breaches or misuse of the information collected.

Since data controllers are likely to use some external services for the transmission, storage and processing of some or all the data they handle, what happens when one of the data processors is at risk or suffers a breach? Is the data controller off the hook? Are they sharing responsibility and are both subject to punishment?

It would be illogical to make data controllers responsible for all possible breaches that could happen outside of their organization. If a cloud service such as Amazon AWS or Google Cloud is compromised, there could be hundreds if not thousands of organizations affected.

However, data controllers are responsible for ensuring that the companies they contract to handle their data, especially personally identifiable data, use the highest level of security, including encryption and anonymization, to protect such data.

Additionally, data controllers need to have some measures in place to minimize the risk of personal data being compromised in case their data processors fail to protect it adequately. Moreover, in the case of one of their data processors suffering a breach or disclosing some of their data, they need to inform the data subjects of such occurrence as soon as they know about it.

Liability shift is coming
One of the paradoxes of most data protection legislation, including the GDPR, is that companies do not necessarily suffer directly from a data breach involving customer data.

While it is true that the GDPR has set a series of fines for non-compliance, starting at €20 million ($24 million) and up to 4% of the global revenue of a company, there are also several mechanisms to reduce and ultimately avoid the fines.

That leaves customers (the data subjects) unprotected if the data controller can demonstrate that they acted in good will and took "reasonable provisions" to protect personal data.

Several EU governments are starting to draft legislation to correct that. Legislators in countries such as the UK believe that the ultimate responsibility to compensate consumers for any damages lies in the data controllers, regardless of the cause of the breach.

One of the emerging considerations is whether the GDPR provisions -- such as Article 80 -- open the door to class action-style privacy cases. The UK case mentioned at the beginning of this article is one of the first of those.

According to the Irish law firm William Fry, "Article 80 of the GDPR introduces a collective action mechanism whereby not-for-profit bodies dedicated to personal data protection can initiate claims on behalf of data subjects who allege their rights have been infringed. In theory, this provision should enhance the protections GDPR affords to data subjects by giving authorised associations in each Member State the power to consolidate claims and represent them on a larger scale."

Many businesses are concerned that the financial ramifications of GDPR from data-subject claims may be even more severe than the threat from GDPR's well-publicized administrative fines.

Organizations need to ensure they have in place a robust data-breach response plan to deal with the consequences of a data breach quickly -- and limit any financial damage or distress of individuals concerned. They also need to review insurance policies to ensure they cover liability under any class or collective action.

Related posts:

Pablo Valerio is a technology writer whose articles have appeared in numerous publications.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...