July 4, 2020

Volume X, Number 186

July 03, 2020

Subscribe to Latest Legal News and Analysis

July 02, 2020

Subscribe to Latest Legal News and Analysis

July 01, 2020

Subscribe to Latest Legal News and Analysis

Sorry Sir, Our Data Breach Response Plan is Out of Stock

We are living in an era of online shopping, where consumers are more willing to hand over personal information for goods and services, and are less suspicious of whom they are divulging their personal information to. As a result, online businesses are in possession of a vast amount of their customers’ personal information. The recent hack of Sneaker Platform Stock-X reminds us yet again of the importance of businesses maintaining comprehensive and up to date security processes, and in particular, the necessity of having an adequate data breach response plan in place.

Stock-X, a platform for the re-sale of sneakers and apparel, was recently hacked, exposing over six million users’ personal data, including their real name, username, password, shoe size and trading currency. According to a Report by TechCrunch, Stock-X’s initial response was to reset customer passwords, stating that it was due to system updates. A spokesperson for Stock-X later disclosed to TechCruch that Stock-X was alerted to “suspicious activity”. TechCrunch reports; however, an unnamed data breach seller had contacted it claiming more than 6.8 million records were stolen from Stock-X in May, and that the records had been put up for sale and sold on the dark web for $300.

Failing to report breaches become a particular business concern when the EU General Data Protection Regulation (GDPR) is concerned. Under the GDPR, a controller must, without undue delay and where feasible, notify an EU supervisory authority not later than 72 hours after becoming aware of a personal data breach unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Failure to do so can render a controller liable for the lower threshold, but still severe, GDPR fine of up to the larger of €10,000,000 or 2% of total worldwide annual turnover. This is not to discount potential fines of up to €20,000,000 or 4% of total worldwide annual turnover for other infringements which may result from breaches.

Although this breach may potentially not trigger notification requirements, conduct such as failing to divulge a data breach to impacted individuals, provide any further details as to the breach and disclosing to the appropriate supervisory authority suggests a lack of sufficient data breach response processes. This is not uncommon as the changing online landscape often creeps up without sufficient thought being turned to instilling appropriate safeguards and processes when dealing with personal information. 


Co-Author: Max Evans

Copyright 2020 K & L GatesNational Law Review, Volume IX, Number 224


About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

Senior Attorney

Ms. Aggromito is a senior lawyer in the lawyer in the Melbourne commercial technology and sourcing team focusing on IT, privacy and data protection.