Data negligence is the ineffective application of safeguards and controls to prevent the misuse of personal data.
Data negligence may be the result of not undertaking the correct measures to prevent a data breach and/or the misuse of personal data. Recent breaches and data misuse have been highlighted in cases against Equifax, Facebook, and Cambridge Analytica. A data breach is an occurrence where data is stolen or taken from an organization. Stolen information may include sensitive, proprietary, or classified data, for example, customer information and credit card details. Personal data misuse involves non-authorized staff viewing or transferring a customer’s personal data.
For the GDPR, negligence is cited twice in Article 83, ‘General conditions for imposing administrative fines.’ First, it states that violations can be negligent or intentional: “the intentional or negligent character of the infringement.” And second, it speaks to penalties regarding negligence or intentional acts: “If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.” Under CCPA, negligence triggers the rights of consumers to file lawsuits for damages and compensation.
What are some examples of data negligence?
- Reliance on old or outdated security controls.
- Insufficient security controls (for instance, relying solely on encryption for data security).
- Software practices and policies do not effectively keep applications and databases at the latest patch levels.
- Ineffective security and privacy training for staff who access software, data, and network resources.
Here are additional resources to learn more about data negligence:
- Thomson Reuters, “Who is liable when a data breach occurs?”
- NYU, “The Rise of Cyber Negligence Claims: Plaintiffs Find Receptive Judges by Going Back to Basics”