Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //


// // //
09:05 AM
Pablo Valerio
Pablo Valerio
News Analysis-Security Now
Connect Directly
E-Mail vvv

European Union Braces for Liability Shift for Data Breaches

There are moves in the EU to introduce a change in liability for consumers who fall victim to data breaches, and other initiatives may follow. These would correct a longstanding cybersecurity moral hazard: that companies do not necessarily suffer directly from a data breach involving customer data.

In 2015, Morrisons, Britain's No. 4 supermarket group, suffered a data breach, caused by a senior employee.

The disgruntled employee used his position to steal personal data, (including names, addresses, dates of birth, bank account details, salaries and national insurance numbers) of nearly 100,000 of his colleagues, which he disclosed in several ways, including sending the data to several newspapers and publishing part of it on the Internet.

The employee was found guilty of fraud the same year and sentenced to eight years in prison.

Last December, Justice Brian Langstaff, head of Employment Appeals Tribunal, ruled that Morrisons was "vicariously liable for the leak of its employees' data."

While the company acted quickly following the breach to get the data taken down and spent a considerable sum of money to protect the affected employees, the judge ruled that the company was responsible for the actions of its employee, on the basis that the company deliberately entrusted him with access to confidential information.

Since the full implementation of the European General Data Protection Regulation (GDPR) in May this year there has been much confusion about the responsibility of companies in collecting and processing data in case of a data breach.

The GDPR is a complex piece of legislation and, despite many critics from different sectors, has been praised as the most comprehensive data protection framework in the world that gives back to people some control over how their personal and activity data is being recorded and processed.

Because most of our daily activities have a digital footprint, the collection and processing of data from those activities are both beneficial and dangerous to the user. Under the GDPR, a data subject (the person whose data is collected) has the right to know in advance what, when, how, and where his or her personal information is being collected and processed. He or she can accept or refuse the use of that data, and has the possibility of changing consent at any time.

To provide that level of control to the data subject, the GDPR makes anyone with access to personal data liable in cases of misuse of that data.

According to the legislation, there are two different organizations responsible for safeguarding the information collected from data subjects: the data controllers and the data processors.

Data processors are any technology companies providing data transmission, storage, analytics and any other type of data-processing services. Companies such as Internet service providers (ISPs), cloud vendors and hosting companies can be classified as data processors under the GDPR.

Data controllers are the organizations or individuals collecting information from data subjects to provide a service and/or process information with such data. They are the ones ultimately responsible for fair data use and protecting the data collected. E-commerce companies, utilities, transit operators and hospitals are some examples of data controllers.

Obviously, data controllers require the services of data processors to acquire and process the information. Unless an ISP is the data controller and uses only its internal infrastructure to collect and process data, the organization needs some form of external processing to conduct data services.

The issue of liability
Under the GDPR, data controllers are the ones ultimately responsible for protecting personal data. The regulation contains several pages describing data controllers' responsibility, the measures they need to take to safeguard and minimize the collection of data and the hefty fines that can be levied against them in case of breaches or misuse of the information collected.

Since data controllers are likely to use some external services for the transmission, storage and processing of some or all the data they handle, what happens when one of the data processors is at risk or suffers a breach? Is the data controller off the hook? Are they sharing responsibility and are both subject to punishment?

It would be illogical to make data controllers responsible for all possible breaches that could happen outside of their organization. If a cloud service such as Amazon AWS or Google Cloud is compromised, there could be hundreds if not thousands of organizations affected.

However, data controllers are responsible for ensuring that the companies they contract to handle their data, especially personally identifiable data, use the highest level of security, including encryption and anonymization, to protect such data.

Additionally, data controllers need to have some measures in place to minimize the risk of personal data being compromised in case their data processors fail to protect it adequately. Moreover, in the case of one of their data processors suffering a breach or disclosing some of their data, they need to inform the data subjects of such occurrence as soon as they know about it.

Liability shift is coming
One of the paradoxes of most data protection legislation, including the GDPR, is that companies do not necessarily suffer directly from a data breach involving customer data.

While it is true that the GDPR has set a series of fines for non-compliance, starting at €20 million ($24 million) and up to 4% of the global revenue of a company, there are also several mechanisms to reduce and ultimately avoid the fines.

That leaves customers (the data subjects) unprotected if the data controller can demonstrate that they acted in good will and took "reasonable provisions" to protect personal data.

Several EU governments are starting to draft legislation to correct that. Legislators in countries such as the UK believe that the ultimate responsibility to compensate consumers for any damages lies in the data controllers, regardless of the cause of the breach.

One of the emerging considerations is whether the GDPR provisions -- such as Article 80 -- open the door to class action-style privacy cases. The UK case mentioned at the beginning of this article is one of the first of those.

According to the Irish law firm William Fry, "Article 80 of the GDPR introduces a collective action mechanism whereby not-for-profit bodies dedicated to personal data protection can initiate claims on behalf of data subjects who allege their rights have been infringed. In theory, this provision should enhance the protections GDPR affords to data subjects by giving authorised associations in each Member State the power to consolidate claims and represent them on a larger scale."

Many businesses are concerned that the financial ramifications of GDPR from data-subject claims may be even more severe than the threat from GDPR's well-publicized administrative fines.

Organizations need to ensure they have in place a robust data-breach response plan to deal with the consequences of a data breach quickly -- and limit any financial damage or distress of individuals concerned. They also need to review insurance policies to ensure they cover liability under any class or collective action.

Related posts:

Pablo Valerio is a technology writer whose articles have appeared in numerous publications.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-10-02
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
PUBLISHED: 2022-10-02
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
PUBLISHED: 2022-10-01
SonicJS through 0.6.0 allows file overwrite. It has the following mutations that are used for updating files: fileCreate and fileUpdate. Both of these mutations can be called without any authentication to overwrite any files on a SonicJS application, leading to Arbitrary File Write and Delete.
PUBLISHED: 2022-09-30
### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end use...
PUBLISHED: 2022-09-30
Dell Hybrid Client prior to version 1.8 contains a Regular Expression Denial of Service Vulnerability in the UI. An adversary with WMS group admin access could potentially exploit this vulnerability, leading to temporary denial-of-service.