In this second half, we will look at:
- Are there adequate legal repercussions for losing customer data to hackers?
- Ways to assess the strength of a potential information fiduciary before doing business and creating an account
Critical perspectives
Are there adequate consequences for information fiduciaries if they expose my data?
The difficulty in establishing liability for cases of data breaches lie in the determination of negligence in the security practices of a company for cases of unauthorized external access to user data. Josephine Wolff’s opinion piece in the New York Times [46] reviews the reasons why it is difficult to punish companies that expose user data:
Perhaps Facebook did absolutely everything right and was just unlucky. If that’s the case, then it would be unfair and unproductive to penalize the company severely. On the other hand, if Facebook ignored several warning signs and failed to properly vet its new tools before releasing them, then it is entirely appropriate for the company to face a significant fine as an incentive to be more attentive to security in the future.
Looking at the 2017 Equifax data breach as an example, it was discovered that a vulnerability in Apache Struts, used by Equifax, was known since March 2017 [47] but was not addressed, leading to the eventual data breach in May 2017. However, American regulators such as the Federal Trade Commission and Consumer Financial Protection Bureau have not taken action against Equifax for missing the security patch that enabled the data breach.
“It’s not a partisan issue, but one where every industry — from telecoms to retail — wants to be exempt from the law”. – Senator Mark Warner
The Federal Trade Commission (FTC) aims to prevent “anti-competitive, deceptive, and unfair business practices”, which may preclude negligence in cybersecurity [48]. In 2012, the FTC had fined Equifax $1.6 million for “violating the FTC Act and the Fair Credit Reporting Act” by selling lists of consumer information to third parties [49]. However, upon closer examination of the decision, all of the money paid in the fines went directly to the FTC, and was not distributed to any of the people whose information was contained in the lists [50]. No action has been taken by the FTC in relation to the 2017 Equifax data breach as of December 1, 2018.
Conversely, the Consumer Financial Protection Bureau (CFPB) aims to “protect consumers from unfair, deceptive, or abusive practices and take action against companies that break the law” [51]. The CFPB did launch a probe into Equifax regarding the 2017 data breach, but after Richard Cordray stepped down on November 24, 2017, Donald Trump appointed Mick Mulvaney as the acting director instead of Cordray’s appointment of Leandra English to fill the role [52]. After’s Mulvaney’s appointment, the CFPB’s investigation into Equifax was put on hold [53]. No action has been taken by the CFPB in relation to the 2017 Equifax data breach as of December 1, 2018.
In Canada, the regulations for companies that experience data breaches do not offer much more protections or guarantees than American legislation. Under the Personal Information Protection and Electronic Documents Act [54], Canadian companies (such as Equifax Canada) are subject to a fine up to $10,000 if they contravene subsections 8(8), section 10.1 or subsection 10.3(1) or 27.1(1) in PIPEDA.
(the following is summarized)
8(8): Retain personal information that is the subject of a freedom of information request
10.1: Report to the Commissioner any breach of security safeguards involving personal information under its control
10.3(1): Keep and maintain a record of every breach of security safeguards
27.1(1): Dismiss, suspend, harass, or discipline an employee for reporting contraventions of PIPEDA
As a result, companies that experience unauthorized external access to user data are legally in the clear if they report the breach to the Privacy Commissioner, keep a record of the breach, and not fire employees for whistleblowing. Under these regulations, the fact that Equifax missed updating Apache Struts after a patch was announced would not result in criminal liability.
In short, there are inadequate consequences for companies that expose its user data. Current regulations do not address negligence in data handling security, and fines that are levied do not benefit the victims of data breaches.
Do terms and conditions protect companies in cases where they expose my data?
Companies can specify that they are not liable in the event of a data breach that results in direct or indirect damages to its users in their terms and conditions for using its products or services.
In September 2016, Yahoo announced that hackers stole data on 500 million users in an attack that took place in 2014 [55]. A few months later, Yahoo announced in December 2016 that a previous attack had happened even earlier than the one they announced previously, with 1 billion user accounts affected by an attack that took place in 2013 [56].
When users filed a class-action lawsuit in California federal court against Yahoo in 2017 [57], Yahoo argued that “the terms of service said that Yahoo would not be liable for indirect, incidental, or consequential damages, including damages for “loss of data or other intangible losses” resulting from “unauthorized access to or alteration of your transmissions or data.” [58]. The court agreed with this statement, demonstrating that terms and conditions do protect companies from liability in cases of data breaches.
However, the plaintiffs in this case were able to find success due to their decision to amend their complaint from a breach of contract to one of unconscionability. Unconscionability is a concept that describes terms that are “so extremely unjust, or overwhelmingly one-sided in favor of the party who has the superior bargaining power” [59]. The court found that the limitations written in the terms and conditions were procedurally unconscionable because “Yahoo’s limitations appeared near the end of a take-it-or-leave-it contract” [60]. Importantly, the judge also found that the limitations were substantively unconscionable because “California courts have similarly concluded that limitations are substantively unconscionable when they “guarantee that plaintiffs could not possibly obtain anything approaching full recompense for their harm.” [61].
As a result of judgement made in cases such as the Yahoo data breach, companies may seek to minimize financial losses from data breaches by making their limited liability statements more explicit and ensuring that new users state that they have acknowledged reading it before proceeding along the sign-up process. In addition, companies may attempt to bar a judgement of substantial unconscionability by offering credit monitoring as compensation for data breaches, such as the case with Sony in 2011 [62] and Equifax in 2017 [63]. However, the proceedings with Yahoo are limited to the United States, and may not affect judgment in courts outside of America.
Why can companies wait to tell others about the loss of user data?
In some of the previous examples, when companies were aware of a data breach, they did not immediately inform users:
- Google was aware of the Google+ security issue in March 2018, but disclosed it in October 2018 [64]
- Equifax was aware of the security breach on July 29, 2017, but did not disclose this until September 7, 2018 [65]
In other examples, companies discovered hacks that occurred many years ago:
- Marriott discovered and announced the 2014 unauthorized access of Starwood Hotels in 2018 [66]
- Yahoo discovered and announced the 2013 and 2014 data breaches in 2016 [67]
In the United States, each state has its own laws regarding the timing of notification after a data breach has occurred [68]. In some states such as Alabama, an explicit 45 day window is given after discovery of a data breach occurred. In other states, such as Minnesota, “the disclosure must be made in the most expedient time possible and without unreasonable delay”. In Canada, PIPEDA echoes a similar regulation in subsection 10.1(6): “The notification shall be given as soon as feasible after the organization determines that the breach has occurred.” [68]. As a result, unless there are explicit notification times regulated by law in the jurisdiction where a company operates, they are able to freely interpret the wording of the current regulations in Canada and the United States.
Heuristics to assess an Information Fiduciary’s ability to protect your data
Can any company be trusted to safeguard your data and to act in a way that does not harm your interests? How can you be confident in a company’s data security practices before deciding to open an account and conducting business with them? Using the following heuristics is a good, but incomplete, first step in comparing a candidate company’s data security policies:
Companies that practice average data security:
- are publicly transparent about what kinds of security they use (ex. WealthSimple [69])
- follow the minimum requirements set by standards such as the Payment Card Industry Data Security Standard [70] [71] and regulations such as the General Data Protection Regulation [72]
Companies that practice good data security:
- use multi-factor authentication [73] to improve the integrity of your digital self by ensuring only you can modify the details of your account [74]
- hashes [75] files and passwords so that hackers, and unauthorized employees, would also require a hash key to reveal files and passwords stored in a stolen database
Companies that practice great data security:
- have a ‘bug bounty’ program [76], where they reward users that report bugs and methods of unauthorized access (ex. Asana [77]
- guarantee the security of its customers with complete reimbursement (ex. Meridian Bank [78])
- describes a policy of periodical auditing for potential vulnerabilities, including audits done by external security experts [79]
In general, the more than a company is able to tell you before you open an account with them, the better.
Summary
- “Information fiduciaries” have special duties to act in ways that do not harm the interests of the people whose information they collect
- Most companies that collect information do not behave like information fiduciaries
- User data can be exposed by malicious intent to abuse access, errors in handling, or unauthorized external access
- Companies may announce data breaches much later than when they initially discovered it.
- Class-action lawsuits can provide a way for individuals to seek action against a company for a data breach, but successful cases have resulted in small financial distributions for plaintiffs
- Current regulations punish companies by levying a fine which is rewarded to the regulating body, and not shared with the victims of data breaches
- Companies can limit the liability of consequential damages resulting from data breaches by clearly presenting the limitation clauses in the terms and conditions for new users and providing credit monitoring after breaches occur to avoid claims of substantial unconscionability
Discussion Questions
- Can you think of any companies who fulfill the criteria of an ‘information fiduciary’?
- Do you think it is appropriate for employees of an ‘information fiduciary’ to be able to freely access your data?
- What do you think of University of Greenwich’s case of failing to be an information fiduciary for its students?
- What factors could increase your belief that a company will not use your data aside from providing services to you?
- Do you think that companies that offer ‘free’ services have the same responsibilities to protect user data as those that offer their services for a price?
- What suggestions do you have to improve the current regulations regarding company responsibility in the event of a data breach?
- Should victims have to go to court and prove unconscionability or should regulation actively enforce terms and conditions that unfairly protect companies?
- Do you foresee companies taking information security more seriously in light of the recent cases of data breaches?
You can submit an original comment or reply to another reader’s comments in the discussion forum below!
Disclaimer: The views and opinions expressed in this article are those of the author and do not constitute legal or financial advice.
Always do your own research for informed decisions.
edited by: Elyse Hill
Image Credits
Untitled, from Pixabay, used under CC 1.0.
Key Sources
- Balkin, J. (2016). Information Fiduciaries and the First Amendment. UC Davis Law Review, 49(4), 1183-1234 – https://lawreview.law.ucdavis.edu/issues/49/4/Lecture/49-4_Balkin.pdf
- List of Data Breaches (Wikipedia) – https://en.wikipedia.org/wiki/List_of_data_breaches
- PIPEDA (Canada) – https://laws-lois.justice.gc.ca/eng/acts/p-8.6/
- GDPR (Europe) – https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1528874672298&uri=CELEX%3A32016R0679
Supplementary Sources
- New Facebook Hack on September 16, 2018 – https://www.theverge.com/2018/9/28/17916076/facebook-hack-lawsuit-login-info-50-million-users-affected
- How to participate in privacy class-action lawsuits – https://www.ctvnews.ca/5things/how-to-participate-in-the-growing-number-of-privacy-class-actions-in-canada-1.3599720
- Canadian Bar Association class action database – http://www.cba.org/Publications-Resources/Class-Action-Database
- How to Quit FAANG (Motherboard/Vice) – https://motherboard.vice.com/en_us/article/ev3qw7/how-to-quit-apple-microsoft-google-facebook-amazon
- Examples of good data security companies (Inc Magazine) – https://www.inc.com/kayla-matthews/these-4-brands-are-super-transparent-about-how-they-secure-your-data.html
- 10 Security Tips (University of California Berkeley) – https://security.berkeley.edu/resources/best-practices-how-to-articles/top-10-secure-computing-tips
- Guide to Personal Cybersecurity (Medium) – https://medium.com/@nickrosener/an-in-depth-guide-to-personal-cybersecurity-be98ba47c968
- How to Make Facebook and Google Behave (Bloomberg) – https://www.bloomberg.com/opinion/articles/2018-04-24/make-facebook-and-google-information-fiduciaries
I am very happy to see this article and really like your content. Really informational and interesting contents.