Why stricter rules won’t prevent hacks, but mass claims could make a difference
Millions of people in the Netherlands have been affected by data breaches in recent months. There have been calls for stricter legislation, but Gerrit-Jan Zwenne, Professor of Law and Digital Technologies, warns against unrealistic expectations. Mass claims could help force businesses to improve their security.
Odido, Booking.com, Basic-Fit, Canvas: it feels as though cyberattacks are on the rise. But lawyer and professor Gerrit-Jan Zwenee puts this into perspective. ‘A key reason we’re hearing so much about this is not necessarily that there are more cyberattacks, but that the obligation to notify the authorities is working’, says Zwenne.
Unpredictable
Moreover, the government can never prescribe exactly how companies should protect themselves. ‘The law relies on vague, open standards such as “appropriate technical and organisational security measures”’, says Zwenne. He believes this is a deliberate choice. ‘You can’t predict what will be needed in the future.’ The human factor is also unpredictable, says Zwenne. No law can prevent an employee from accidentally sending an email to the wrong person or clicking on a suspicious link.
Legislation is counterproductive
Legislation therefore falls short when it comes to preventing data breaches and, in some cases, even contributes to the volume of data collected. Many people find it frustrating that businesses frequently request personal information, such as a copy of a passport. While the General Data Protection Regulation (GDPR) requires companies to collect as little data as possible, other laws actually oblige them to verify their customers’ identities thoroughly, Zwenne explains.
He gives the example of telecom providers accepting new customers. ‘The Supreme Court has ruled that taking out a contract with a “free” phone is effectively considered a form of credit.’ This means providers such as Odido must follow strict rules to prevent people from getting into debt.’
Financial institutions are subject to even stricter anti-money laundering legislation. ‘ING was fined nearly 100 million euros because it failed to take sufficient measures to prevent money laundering.’ Other major banks have received similar fines, says Zwenne. Banks would therefore rather collect too much data than too little, in order to meet their legal obligations.
Mass claims
What can you do if your data is compromised? For individuals, it is virtually impossible to take large companies to court following a data breach. Such proceedings are complex and time-consuming. In addition, large companies can hire teams of expensive lawyers, making it extremely difficult for an individual to pursue a legal case.
Mass claims solve this problem, says Zwenne, who is involved in supporting several organisations in collective actions. ‘Why are group actions useful and necessary? Because they create a level playing field. A well-funded claims organisation is capable of taking on large companies, even if the proceedings drag on for years. You can’t do that on your own.’
According to the professor, mass claims also have a preventive effect, forcing businesses to take cybersecurity more seriously. ‘The threat of a mass claim will raise awareness among businesses. Cybersecurity is an integral part of normal business operations. As an entrepreneur, you must recognise that it is an essential part of responsible business practice.’ According to Zwenne it is just as fundamental to business as keeping accurate accounts.
Gerrit-Jan Zwenne is Professor of Law and Digital Technologies at Leiden University and Professor of Data Protection in Dutch Legal Practice at the Open University. Alongside his academic work, he has been a lawyer for almost 30 years, curently at Pels Rijcken, where he specialises in privacy and data protection and acts as a lawyer in group actions against major tech companies such as Meta and Google.