2

I'm currently developing an app, which the users will store sensitive data in, and this data will be stored in the internet (I'll use Firebase or a similar service).

I'll try to secure the data as much as I can (and send it via a secure connection or something), but by all means I'm a complete beginner in information security field and I'm still learning, but I'm afraid that my app's data security won't be competent.

My question is what if someone was able to access the users' data, will I (the app developer) get fined? Or are the fines only for international data security violations? In my case it won't be intentional, I'll try my best to secure the data.

Another side question is: what are the regulations/standards/requirements that I should be aware of which are related to data security? I only know the GDPR regulations.

Azzam Alsharafi
  • 21
  • 2
  • 2
    This is a purely legal question, i.e. off-topic here and on-topic on [law.se]. Apart from that laws usually don't have an exception for *"I have no idea what I'm doing"*. If you don't know enough about security simply don't write an app which stores sensitive data. – Steffen Ullrich Mar 19 '20 at 19:24
  • In North America, there is a concept that "ignorance is not a defense" – schroeder Mar 20 '20 at 07:52

1 Answers1

3

First of all, don't trust any legal advice from a Q&A site on the internet. I am not a lawyer, but I can give you some pointers at least:

  1. It mostly depends on your place of jurisdiction. Laws are quite diverse in regards to liability when it comes to cyber security. You should consult with a legal expert familiar with software liability in your place of jurisdiction.
  2. Data security is just part of the game. Getting hacked and having personal information leaked is a severe issue, but not the only one. Your systems can be compromised and used to attack others or spread malware / illegal material. Your users may incur damage if the system is not available during a DDoS attack. The list goes on. Do not consider your application secure, just because you followed all the data protection standards.
  3. You have a degree of freedom when defining your contracts. Again, it depends on your local jurisdiction, but usually you can define for which use cases or industries in general your software should and shouldn't be used. You can basically say, that you are not liable for anything and that your software is not fit for any purpose. Your clients won't like that, but it is an option. The goal is to find a middle ground that works for all sides. Don't include any liabilities in your contracts that you are not comfortable with. Again, this is a difficult matter, get a legal consultant.
  4. Get a software security expert on your team. You said it yourself, you're a beginner in the field of information security. Relying on standards and security frameworks only gets you so far. Without a competent partner to manage your application security, you run a high risk. If it is a small development project and you have limited funding, get a security consultant for a limited amount of time to cover the most important topics. If you can afford it, bring an expert into your team. A security savvy developer can help not only with security but other development tasks as well.
  5. About security standards... Honestly, based on your description, no security standard alone will do the trick. Application security is a field that requires many years of experience to get things right, and even then it is difficult. I could list a wide range of different security standards from OWASP, NIST and many others, but the standards are not your issue. That's probably not the answer you were hoping for, but my honest opinion about your situation.
Demento
  • 7,249
  • 5
  • 36
  • 45