How is intermediary liability related to data breaches?
Intermediary liability refers to the legal culpability of internet intermediaries in respect of the illegitimate, illegal, or harmful activities carried out by their users. For such culpability to arise, such user(s) must have performed such illegitimate activity(ies) through the intermediary’s offered service. The responsibility thus devolves on intermediaries such as internet service providers and websites, to do all they can to prevent the usage of their services or technologies for the commission of crimes, by users.
The liability is generally deemed “indirect” or “secondary” because it typically doesn’t relate directly to the intermediary’s conduct but rather about the conduct of its users. Still, intermediaries are obliged to reasonably foresee the various ways in which their services can be mischievously put to use by some users.
The relation between intermediary liability and data breach appears to be direct. That is, they go hand in hand. In situations where data breaches occur because of the successful manipulation of an intermediary’s service and it is found out that the breaches’ success is enhanced by the intermediary’s sub-standard security framework or policy, intermediary liability sets in.
It will be seen that the whole essence of the intermediary rule is to make absolutely sure that intermediaries do all they can to reign-in incidents of data breaches through their services. To avoid liability in most cases, some steps taken by intermediaries include:
- Contract regulation: Intermediaries regulate the user conducts by way of contractual terms and conditions (known as TOS – Terms of Service) which are assented to during registrations. They essentially help in deterring data infringement by probable mischievous users.
- Filtering and monitoring: These are measures geared at identifying users, identifying, removing, or blocking illegal materials.
- “Notice and disconnection”: Imposition of repeated notifications and sanctions, and consequently a termination or dehydration of services to the particular user.