Data Breaches: Is anyone responsible?

By: Robert Vickers

With seemingly increasing frequency, news reports reveal data breaches involving personal data stored on commercial data servers.  In some cases, the victims intentionally stored the data on the servers, while in others it was not the victims who stored the data, but a commercial entity, storing information about their customers.  Whether or not users or the company uploaded the data kept on company servers, who holds the responsibility for keeping the data safe?

One of the more recent newsworthy breaches involved cloud storage: the recent celebrity nude photo hack against Apple’s iCloud service[1] that has generated intense publicity[2].  Despite some early news reports alluding to yet another flaw in an online service, Apple claims that the blame for the inadvertent exposure of celebrity data does not lie on Apple[3].  Instead, hackers attacked individual accounts from which they could deduce user names, passwords, or security questions[4].

In this case, it appears the breach involved data users themselves uploaded to the servers for storage.  Access to such data by the hosting company depends in part on whether or not the company managing the servers defines the service as an Electronic Communication Service (ECS), or as a Remote Communication Service (RCS) as defined by the Stored Communications Act, 18 U.S.C. §§ 2701–2712.

Essentially, an ECS would be a service like webmail[5], and an RCS would be a cloud storage service[6], well at least they way most people may think about them.  The statutes specify the differences between the different types of services, one of which being that an RCS hosting company cannot access any data stored within it for any purposes other than user storage and processing[7].  Likewise, different rules applied depending on the type of service, dictate when the government can access data stored on the service, and whether or not a search warrant is needed[8].  Furthermore, the category (ECS or RCS) a particular service falls under, despite its popular and advertised name or usage, depends entirely on the Terms of Service (ToS) as defined by the service provider.

Google, for example, has a generic ToS which applies for all of the services they provide[9].  At one time, “Google reserve[d] the right … to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any [Google] Service[10].  Today, Google just says that they will sift through your data in order to provide you with advertisements you may be interested in[11].

Two court cases, Flagg v. City of Detroit[12] and Viacom Int’l Inc. v. Youtube Inc.[13] refused to allow screening for unlawful content when information was stored on a RCS[14].  This decision also likely means the content cannot be accessed for advertising or other purposes[15].  As a result, many services can write their ToS so as to not define the service as a RCS[16].  In such a manner, although the service may not provide stored data willingly to a third party, the service can view the data itself, ostensibly to provide target advertisements to pay for the “free” service[17].

Other recent newsworthy data breaches include the Home Depot data breach earlier this year[18], and the Target data breach last year[19].  In the case of the Home Depot breach, in addition to credit card account numbers, email addresses were also stolen[20].

In cases such as these, typically hackers from overseas, through malware, trojans, hacking, or other means, gain access to a company’s database containing customer information and sell such information to others who use the data to assume a customer victim’s identity and purchase goods and services for themselves[21].

As provided by law, for a customer who quickly notices and reports a breach of their credit card number, personal liability is limited to $50[22].  The remainder of liability usually falls upon the credit card issuer[23].

As far as liability for allowing the breach in the first place, in many cases similar to these, it seems that liability has yet to be placed.  Whether in the cases against Hannaford Bros.[24], Michaels Stores[25], or Express Scripts[26], when customer data is stolen, be it simply electronic payment (credit card) information or more substantial personally identifiable information such as dates of birth and Social Security Account Numbers, the entity whose database has been broken into has yet to be found liable for the breach.  Oftentimes, as in the cases above, because the victim did not contract with the entity who stored their information to store that information, courts have often found the victim lacks standing to sue.

In an attempt to eliminate the utility of stolen credit card numbers, credit cards containing electronic chips, as currently used overseas, are being introduced into the United States[27].  These, however, are not a panacea: apparently the system, developed by Visa for use in the United Kingdom, has a problem with recognizing any currency other than the Great Britain Pound[28].  Nor has the new card chip system completely eliminated the ability of thieves to steal money from a credit card[29].  Furthermore, the change to a new system will be very expensive, with costs projected to be as much as $11 billion[30].

With expenses like that looming in the near future and the limited liability companies have faced when databases are broken into and customer data is stolen, it is not surprising that companies are not acting faster to rollout new technology to protect their customers.  Although it would be nice, and companies should look after their customers better in order to build a relationship and instill loyalty, based on current trends, it probably won’t happen anytime soon.

As always, it is up to consumers to protect themselves.  While the possibilities and utility for cloud computing are great, customers need to be aware that information they place on a server owned by another party may not be secure.  Likewise, information collected by companies about their customers has and will continue to be targeted by hackers.  A recent survey revealed that 91% of Americans believe they do not control their personal information that companies possess[31].  The only choice is for consumers to take action to protect themselves: be aware where their data goes and limit what they release.  Don’t worry though; we are committed to your privacy and are not collecting any personally identifiable information which may or many not be used to personally identify you, or are we?[32]