credit card breach

 

According to cybersecurity company Upguard, a now-dissolved Facebook app uploaded sensitive user data, including app users' passwords and Facebook user information, to a public online storage website.

While the alleged mishandling of data may seem minuscule compared to Facebook's other data privacy concerns, which may led to a potential $5 billion fine from the Federal Trade Commission, the April report highlights a concern any data seller can have: How will third parties handle such data, and am I to be held responsible if it's breached?

While many often enter into contractual agreements with third parties to protect themselves from liability, this may not be enough to shield the original data seller from lawsuits if a defunct or active vendor is breached. 

“In general if you are the organization that is gathering the information, collecting and determining how the information is being used, you are probably responsible for what happens to it even if vendors are processing it,” said Victoria Beckman, a Frost Brown Todd partner and co-chair of the privacy and data security team, who spoke generally and not about the Facebook report.

That legal responsibility boils down to the original seller of data obtaining permission from an individual to collect the data and promising to keep it safe, Beckman said.

Fox Rothschild partner Michael Kline also noted that even a company filing bankruptcy may not absolve it of legal responsibility over a data breach.

“For general types of breaches beyond the health care realm, I think it's interesting that the liability of the company that goes out of business may not be able to avoid it by declaring bankruptcy,” Klien said. “[With] that type of obligation, depending upon the circumstances, how egregious it was, what type of information it involved, you may be in a situation where people try to get personal liability against the individuals in that company.”

To be sure, while most industries in the U.S. don't regulate data sharing, the health care industry is a large exception.

A covered entity, which under the Health Insurance Portability and Accountability Act includes a health care clearinghouse, health care providers and health insurance companies, that shares information with a third party must have a business associate agreement under HIPAA, said Fox Rothschild partner and HIPAA privacy and security officer Elizabeth Litten. 

According to a 2013 U.S. Department of Health & Human Services report, the business associate agreement mandates, among other requirements, that the “business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.” It also requires “the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information.”

While those regulations are specific to HIPAA covered entities, Litten said the law's transparency and consent requirements offer best practices relevant to data sharing in any industry.

“You can take that consent to a non-health care setting in terms of looking at if you are collecting information from users and consumers, making sure when you are disclosing it if you're doing it in a minimal necessary way.”

Obtaining prior consent can lead to less litigation and headaches, Litten said.