In this day and age of the motto “the one with data rules”, any business or individual handling customers’ personal data must be as careful as, if not more than a bank handling their money.

Personal Information contained in the files of a business is a goldmine for hackers—they can now peek and monitor every aspect of a person’s life; personal matters, financial activities, and even social and political views among others.

A breach is something that could potentially interfere with the entire online presence of a person, which could lead to catastrophic results.

In any legal proceeding trying to claim damages or a statutory remedy, it is important to ascertain the legal liabilities of the concerned entities.

This blog attempts to cover the legal liabilities of an entity in the case of a data breach from a global perspective.

Instances of a data breach

Any discussion on data breach is incomplete without assigning a proper definition to the term "data breach”. Although not exhaustive, the following 8 situations try to encapsulate the possible instances of a data breach:

1.  Stolen Passwords or Weak Credentials

As the name suggests, this type of breach involves stealing credentials such as passwords and using them for malicious activities by hackers. Although this is the most common type of data breach, it is also one that can be easily prevented. This breach can be prevented by using strong difficult passwords and constantly updating them.

2.  Back Door Failures

This type of breach happens when hackers exploit an existing weakness or vulnerability in a system. This can be prevented by regularly updating software with the latest patches.

3.  Malware

Malware is software that appears normal but is hidden with malicious content that opens itself and gets hold of sensitive information. Malware is a real menace that can be controlled with the help of an updated anti-malware scanning programme along with strictly staying away from opening and downloading anything via unknown emails.

4.  Phishing/Social Media Scams

Alluring innocent people with massive monetary gains and other benefits, hackers try to get hold of sensitive information such as passwords and financial information. An organization with multiple permissions in place is a blessing for hackers, as each one hosts a goldmine of information.

Businesses will find it tricky to keep track of all the permissions, which increases the possibility of a data breach. Whenever possible, businesses must try to restrict the number of permissions given to users.

5.  Internal Threats

One can classify internal threats into two: the “crook” and the “careless”. The crook leaks information for his gain, while the careless leak information due to ignorance. To minimise internal threats, businesses should raise employee awareness and monitor systems periodically to weed out the “crooks”.

Who are the Parties Involved?

With the advent of popular cloud-based environments, more and more data is being entrusted to the hands of third-party cloud vendors. Data security over the cloud is a tricky affair. The wide range of unique threats such as indirect and remote management, lack of operational transparency, and enhancement by external threats can make data especially vulnerable on the cloud.

Usually, in such scenarios, three parties are involved:

●      The user or customer who avails of the service.

●      Owner of Data: The business that offers products and services to the user.

●      Holder of Data: The third-party vendor that offers hosting services such as Amazon Web Services, IBM Cloud, and Microsoft Azure.

How to Determine Liability?

In a cloud-based environment, the owner of data (businesses) is usually the one against whom all the fingers will be pointed in the event of a breach. Whether it be their data breach or a breach by the third-party vendor, the data owner has the ultimate liability towards the customers.

This is one of the main reasons why data owners opt for a cyber liability insurance policy.

Types of Liability

A data owner will usually have two types of liability: statutory and civil.

Statutory Liability

This type of liability arises from doing an act in contravention of an enacted law. Almost all countries have enacted some kind of statute that imposes liability on the data owners for breaches.

Civil Liabilities

Customers have the right to bring an action before the courts if they have it as a written contract. However, nowadays, plaintiffs in the absence of an express provision are bringing actions based on an “implied contract” to protect the data[1].

Although data breach claims are difficult for plaintiffs to prove, courts are increasingly accepting suits seeking unknown or remote damages. Since the leaked information may not have been put to use, the plaintiffs often raise the argument that the breach made them more prone to future attacks.

Global Scenario

The UK

The Companies Act, 2006 lays down the fiduciary duties of the directors, which mandate, among other things, the duty to take steps to ensure the company’s success by exercising skill, care and diligence[2].

Similar to recognised civil liability theories, the board’s failure to employ secure and sufficient cyber protection measures amounts to a breach of such duty. On the other hand, UK law also provides the “ordinary prudent man” test while ascertaining liability. A recent case law established the maintainability of a civil suit under the UK Data Protection Act, 1998[3]. What is more alarming for the companies is that a suit could be maintained even if there is no direct monetary loss.

Plaintiffs have the option to bring such a suit either against the company or the directors in person. Companies in the UK are also governed by the General Data Protection Regulation

Description (GDPR), which remains in force even after “Brexit” by the UK. GDPR imposes regulations for companies handling massive amounts of personal data that must follow, failure of which could result in massive fines and penalties.

Furthermore, the Information Commissioner’s Office, the data privacy regulator in the UK, can direct and even compel the directors to ensure compliance with its constantly updated data security regulations.

Personal liability also arises in the case of directors of regulated entities. The Financial Conduct Authority closely monitors the directors of companies in the financial services sector and will proceed to take action if proper cyber security compliance is not met.

Under the UK Listing Rules, directors of public companies must also disclose cyber breaches, failure of which could lead to personal liability.

The EU

The EU is legislating several updated regulations and laws dealing with privacy and cybersecurity in addition to the aforementioned GDPR.

The EU Network and Information Security Directive (NIS Directive)[4], adopted in 2016, provides for an EU-wide data protection legislation, enabling improved cyber-security implementation.

Last year a 746 million Euro fine was imposed on Amazon by the Luxembourg National Commission for Data Protection for non-compliance with the EU’s General Data Protection Regulation. The Data Protection Commission of Ireland also slapped a $225 million fine on WhatApp for not-complying with the GDPR transparency requirements, showcasing the heavy price companies have to pay for non-compliance.

The United Arab Emirates

The UAE Commercial Companies Law mandates personal liability for directors and officers in the event of a data breach. If a data breach happens in a public company, the directors are liable to the shareholders and the company[5].

Although there is a scarcity of case laws on these provisions, it could be reasonably inferred that such instances will come under the ambit of the statutory laws.

The UAE also imposes strict criminal liability for the unauthorised publication of sensitive personal information.

 Germany

Similar to laws under other jurisdictions, German law also espouses a director’s liability in the event of a data breach. German law mandates personal liability for breach of duty on the part of the directors and prescribes a high standard of security maintenance and upkeep. Although the law prescribes the personal liability of directors, it is only given to the company and not to third parties.

Canada

Directors and officers can be held liable for violating Canadian law relating to privacy risk and cybersecurity. Under the Canada Business Corporation Act (RSC, 1985) (CBCA), directors must carry out their obligations honestly and fairly, without detriment to the company.

The Act also gives the shareholders the right to initiate derivative action against the directors for a breach of duty and they can also recover pecuniary damages for the company. Canadian privacy statutes also prescribe liability for directors and officers. However, these statues are present only in a few Canadian states.

South Africa

Directors and officers are liable personally under South African law for privacy risks and cybersecurity. Similar to commonwealth countries that are inspired by the English legal system, South African law also spells a breach of directors' duty if there was a failure to establish a proper cybersecurity system in place.

Although the directors work through the “separate legal entity” principle, there is a greater possibility of higher personal liability due to the unique nature of the applicable laws.

The South African Regulators can also take action against directors if they fail to carry out their fiduciary duties. The Protection of Personal Information Act (POPI), passed in South Africa, allows regulatory action against companies and individuals for any breach. Hence, in South Africa, a director can face penalties, administrative fines, civil fines, and even imprisonment for a data breach.

Australia

Similar to South Africa, the USA, and the UK, the directors and officers have a similar personal liability if there is a privacy or cybersecurity failure in the company. The directors and officers have a combined responsibility to employ the necessary strategies for risk management, conduct due diligence and take reasonable care under the Corporations Act 2001.

Furthermore, the Australian Securities and Investment Commission (ASIC) also has the power to initiate suits for breach of duties by the directors.

The consequences are dire and include compensation orders, monetary penalties, declarations of contravention, and even disqualifying the directors. A civil proceeding can also be initiated against the directors by derivative actions for not taking the proper steps to prevent and contain the breach.

The U.S.A

Although there is no uniform data protection law in the U.S.A, there are numerous state and federal laws that protect the interests of customers from a cyber breach. However, as per the National Conference of State Legislatures (NCSL), all the states of the United States have enacted laws that mandate proper communication to notify the customers whose data has been leaked during a data breach.

The federal Act known as the Gramm-Leach-Bliley Act mandates financial companies to disclose the manner of sharing sensitive information to customers to ensure the protection of sensitive data. The Health Insurance Portability and Accountability Act of 1996 has certain special provisions that provide for the encryption of the medical data of patients.

Furthermore, depending on the nature of the business, disclosure might be required following a breach to the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), or the United States Department of Justice.

Apart from the aforementioned statutes that prescribe liability, an action can also be brought for breach of contract or tort against the company for breach of data. If a provision is stipulated in the contract, plaintiffs can file suit for breach of contract against the directors.

They can also proceed based on an implied contract, which may subsequently be attached to the contract. In a tort claim, the common defence of economic loss (stating that no monetary loss has taken place) prevents the plaintiffs from further action and restrains them to an action for breach of contract alone.

Indian Context

With more than 86.63 million data breaches, India holds the third position for the highest number of data breaches.

The main provisions for data protection and privacy are contained in the Information Technology (Amendment) Act, 2008, which also determines criminal and civil liabilities for a breach. The Personal Data Protection Bill, 2019, an independent law for the protection of personal information, which is still in the works, is yet to be passed.

The main provisions dealing with liability under IT Act are as follows:

Section 43A

Following Section 43A of the IT Act, any corporation who owns, uses, or manages any sensitive information or personal data in a computer system that they operate, controls, or owns is liable for damages if they fail to maintain satisfactory security precautions and as a result contributes to the loss of, damage, or wrongful gain to any individual.

A civil action is also permissible under section 43A for a breach of sensitive personal information. This grants a remedy to a person whose information or personal data was revealed without the proper authorization to third parties, which resulted in a loss. It is important to note that an employee or an individual is excluded from this section as they don’t fall within the scope of a body corporate. Section 43 A is targeted only at companies.

Section 72A

This penal provision prescribes punishment of up to 3 years and a fine of up to 5 lakh rupees or both if a person or an intermediary publishes any sensitive personal information that they received during the delivery of services or products under a lawful contract.

Section 72 A applies to employees since they satisfy all the elements, such as having an employment contract with the employer, and they also have access to sensitive information during their period of employment.

Section 45

Under this section of the IT Act, anyone who violates any regulations issued under the IT Act for which no specific punishment has been specified is subject to compensation or a penalty of up to 25,000 rupees. This is a residuary provision. Any person, entity, employee, or employer is covered by Section 45.

Section 43

According to section 43 of the Information Technology (Amendment) Act of 2008, privacy violations, computer trespass, data extraction, unauthorised digital copying, etc. result in civil responsibility for computer database theft. This section also prescribes compensation and penalty for loss or damage to a computer, computer network or computer system.

Contractual Liabilities

If there exists a contract, based on which the personal data was transferred and a specific provision regarding its protection was also there, then the aggrieved party can file a suit for breach of contract.

Conclusion

A data breach is an undesirable situation for any legal entity.

A data breach happens when a security event results in the breach of integrity, availability and confidentiality of the data that a firm or organisation is responsible for.

Once a breach happens, a company/organization is required to inform the concerned authority without undue delay, and as soon as it comes to their knowledge. If any business or organisation processes data, it is required to inform the data controller of any breaches.

An organisation must put in place the proper organisational and technological safeguards to prevent potential data breaches if not, the repercussions could be too hefty.