Facebook Inc. CEO Mark Zuckerberg highlighted a central problem with data portability in his proposal to allow internet users to transfer their information between companies—who should be responsible for securing it.

Zuckerberg said in a March 30 blog post that data portability requirements need “clear rules about who’s responsible for protecting information when it moves between services.” Without clear data portability rules, companies may struggle with consumer data requests that could imperial data security, privacy advocates and attorneys said.

“If implemented incorrectly, portability requirements pose serious risks to the privacy, security, and integrity of information,” Joe Jerome, policy counsel for the Center for Democracy & Technology, said in an email.

“Parties to a portability transaction must have strong security controls in place, including encryption of data in transit, and data stewardship measures to avoid unauthorized third party data access and misuse,” he said.

Companies that don’t carefully implement reasonable security controls could fall victim to cybercriminals when adhering to a data portability request, privacy pros said.

“Data portability provides one-stop-shopping for malefactors who want to access a consumer’s data,” Eric Goldman, co-director of the High Tech Law Institute at the Santa Clara University School of Law, said. “There are few, if any, ways to provide robust data portability without making it equally easy for the bad guys to abuse the tools,” he said.

Privacy attorneys and professionals also cautioned against broad data portability rules without appropriate guardrails or without weighing compliance burdens on small businesses.

“Data portability is desirable for many reasons, but it can impose disproportionate costs on small businesses, who may not have extra developers or resources to ensure portability,” Peter Swire, senior data privacy counsel at Alston & Bird LLP and former Obama White House privacy official, said.

Laws Unclear

The EU’s General Data Protection Regulation and California’s new privacy law, the California Consumer Protection Act (CCPA), allow for individuals to request their data and move it to other services. There’s no broad federal law guaranteeing that right. But state privacy laws such as California’s may preview what a federal requirement would look like.

Data portability is “already and element of the CCPA, which gives consumers rights to access their data in a readily usable format that allows the consumer to transmit this information to another entity without hindrance,” Justin Brookman, director of privacy and technology policy at Consumer Reports, said in an April 1 interview referring to California’s new privacy law.

But neither law is clear on what party is liable if there’s a data breach or security incident, attorneys said.

The California law gives state citizens the right to sue after a data breach if a company didn’t maintain reasonable security practices. The GDPR requires data controllers and processors to ensure an appropriate level of data security.

Liability likely comes down, at least under California’s law, to who had control over the data at the time of the security breach, Jane Hils Shea, privacy attorney at Frost Brown Todd LLC, said in an email.

But generally, “liability questions are a challenge, and apportioning liability among users, big and small firms is an open question,” Jerome said in an email.