Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //


// // //
09:05 AM
Pablo Valerio
Pablo Valerio
News Analysis-Security Now
Connect Directly
E-Mail vvv

European Union Braces for Liability Shift for Data Breaches

There are moves in the EU to introduce a change in liability for consumers who fall victim to data breaches, and other initiatives may follow. These would correct a longstanding cybersecurity moral hazard: that companies do not necessarily suffer directly from a data breach involving customer data.

In 2015, Morrisons, Britain's No. 4 supermarket group, suffered a data breach, caused by a senior employee.

The disgruntled employee used his position to steal personal data, (including names, addresses, dates of birth, bank account details, salaries and national insurance numbers) of nearly 100,000 of his colleagues, which he disclosed in several ways, including sending the data to several newspapers and publishing part of it on the Internet.

The employee was found guilty of fraud the same year and sentenced to eight years in prison.

Last December, Justice Brian Langstaff, head of Employment Appeals Tribunal, ruled that Morrisons was "vicariously liable for the leak of its employees' data."

While the company acted quickly following the breach to get the data taken down and spent a considerable sum of money to protect the affected employees, the judge ruled that the company was responsible for the actions of its employee, on the basis that the company deliberately entrusted him with access to confidential information.

Since the full implementation of the European General Data Protection Regulation (GDPR) in May this year there has been much confusion about the responsibility of companies in collecting and processing data in case of a data breach.

The GDPR is a complex piece of legislation and, despite many critics from different sectors, has been praised as the most comprehensive data protection framework in the world that gives back to people some control over how their personal and activity data is being recorded and processed.

Because most of our daily activities have a digital footprint, the collection and processing of data from those activities are both beneficial and dangerous to the user. Under the GDPR, a data subject (the person whose data is collected) has the right to know in advance what, when, how, and where his or her personal information is being collected and processed. He or she can accept or refuse the use of that data, and has the possibility of changing consent at any time.

To provide that level of control to the data subject, the GDPR makes anyone with access to personal data liable in cases of misuse of that data.

According to the legislation, there are two different organizations responsible for safeguarding the information collected from data subjects: the data controllers and the data processors.

Data processors are any technology companies providing data transmission, storage, analytics and any other type of data-processing services. Companies such as Internet service providers (ISPs), cloud vendors and hosting companies can be classified as data processors under the GDPR.

Data controllers are the organizations or individuals collecting information from data subjects to provide a service and/or process information with such data. They are the ones ultimately responsible for fair data use and protecting the data collected. E-commerce companies, utilities, transit operators and hospitals are some examples of data controllers.

Obviously, data controllers require the services of data processors to acquire and process the information. Unless an ISP is the data controller and uses only its internal infrastructure to collect and process data, the organization needs some form of external processing to conduct data services.

The issue of liability
Under the GDPR, data controllers are the ones ultimately responsible for protecting personal data. The regulation contains several pages describing data controllers' responsibility, the measures they need to take to safeguard and minimize the collection of data and the hefty fines that can be levied against them in case of breaches or misuse of the information collected.

Since data controllers are likely to use some external services for the transmission, storage and processing of some or all the data they handle, what happens when one of the data processors is at risk or suffers a breach? Is the data controller off the hook? Are they sharing responsibility and are both subject to punishment?

It would be illogical to make data controllers responsible for all possible breaches that could happen outside of their organization. If a cloud service such as Amazon AWS or Google Cloud is compromised, there could be hundreds if not thousands of organizations affected.

However, data controllers are responsible for ensuring that the companies they contract to handle their data, especially personally identifiable data, use the highest level of security, including encryption and anonymization, to protect such data.

Additionally, data controllers need to have some measures in place to minimize the risk of personal data being compromised in case their data processors fail to protect it adequately. Moreover, in the case of one of their data processors suffering a breach or disclosing some of their data, they need to inform the data subjects of such occurrence as soon as they know about it.

Liability shift is coming
One of the paradoxes of most data protection legislation, including the GDPR, is that companies do not necessarily suffer directly from a data breach involving customer data.

While it is true that the GDPR has set a series of fines for non-compliance, starting at €20 million ($24 million) and up to 4% of the global revenue of a company, there are also several mechanisms to reduce and ultimately avoid the fines.

That leaves customers (the data subjects) unprotected if the data controller can demonstrate that they acted in good will and took "reasonable provisions" to protect personal data.

Several EU governments are starting to draft legislation to correct that. Legislators in countries such as the UK believe that the ultimate responsibility to compensate consumers for any damages lies in the data controllers, regardless of the cause of the breach.

One of the emerging considerations is whether the GDPR provisions -- such as Article 80 -- open the door to class action-style privacy cases. The UK case mentioned at the beginning of this article is one of the first of those.

According to the Irish law firm William Fry, "Article 80 of the GDPR introduces a collective action mechanism whereby not-for-profit bodies dedicated to personal data protection can initiate claims on behalf of data subjects who allege their rights have been infringed. In theory, this provision should enhance the protections GDPR affords to data subjects by giving authorised associations in each Member State the power to consolidate claims and represent them on a larger scale."

Many businesses are concerned that the financial ramifications of GDPR from data-subject claims may be even more severe than the threat from GDPR's well-publicized administrative fines.

Organizations need to ensure they have in place a robust data-breach response plan to deal with the consequences of a data breach quickly -- and limit any financial damage or distress of individuals concerned. They also need to review insurance policies to ensure they cover liability under any class or collective action.

Related posts:

Pablo Valerio is a technology writer whose articles have appeared in numerous publications.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...