One of the emerging threats in the digital era is online security breaches. Today, millions of people use social media platforms to post information about their lives online. In doing so, they often provide sensitive personal information to various platforms, including credit card information, personal preferences, and other information that is otherwise protected by various privacy legislation. A security breach from an unknown hacker can lead to millions of users’ accounts being compromised. In addition, many users now use one social media platform to host a variety of applications. In those circumstances, a security breach of the main platform could have a ripple effect on other accounts. Protecting against these types of security breaches is becoming increasingly important in the digital era.Companies that host personal information of its users must be careful in how they store that information and how they plan to handle a potential data breach. This is particularly important because of emerging legislation in different parts of the world that could result in significant penalties to companies who may have failed to protect against a data breach. For example, EU’s newly enacted data privacy regulation, known as the General Data Protection Regulation (GDPR), permits users located in the EU to file a claim for compensation against a company if they have suffered material or non-material damage, even without proof of monetary loss. If an investigation finds that the company did not comply with GDPR rules with respect to handling and processing of personal data, the regulators could impose a fine as large as up to 4% of the company’s annual worldwide revenue. Another concern is the potential for reputational damage to the company, which could result in market share losses.
Data breaches also raise an interesting legal question as to whether third-party applications that use the services of the company whose security was breached can be held responsible for compromised user data. This question is necessarily fact specific and remains generally unanswered. In the meantime, it is imperative for businesses to ensure compliance with local and federal privacy legislation by having in place clear procedures and policies with respect to how the business collects, uses, and stores personal data. Moreover, it is prudent to have a written policy setting out how third parties that the business interacts with will take care of privacy and data processing issues, and how privacy security risks will be allocated between the parties.
In the digital era, users expect to know how their data are being used and protected. Ensuring compliance with privacy laws is important not only from a legal perspective but also from a business perspective: even if privacy regulators are struggling to keep up with advances in technology, whether a business has gained trust from the public in the way it handles privacy issues may be reflected in the financial health of the corporation.