In our modern world, data breaches and attacks are fast becoming a frequent phenomenon. From banking to business and healthcare, amongst others. Data breaches are getting more and more sophisticated and brutal. Even those in charge of national defenses i.e. the military aren’t exempted from this menace. The oft-repeated question in all this is: who is liable in the event of a data breach?
Fundamentally, in cloud environments, US Law vests direct liability of breaches on data owners (customers), rather than data holder/providers (companies). It really doesn’t matter whether the security failure is the data holder’s fault. Why is this so, you might wonder?
It is so, because standard agreements signed between data owners and providers, usually exclude providers from consequential damages – with a cap on direct damages. So, it doesn’t matter on whose end the breach was conducted.
Barring these above-mentioned liability principles however, there are circumstances when the liability is shifted from the data owner to the provider. These situations include:
- Where an entity or agent of the provider fails to implement standard, reasonable, statutorily-required security measures.
- Where the agent/entity doesn’t strive to mitigate or plug the breach.
- Where timely notification of the breach isn’t forwarded to affected individuals or persons.
Summarily, when it comes to who should bear the burden of data breach liability, the answer isn’t usually cut and dry. Individuals and corporate data owners should be vigilant when signing agreements with data providers and stay atop the enforcement of their rights.