Who is responsible for data security .Who has more information, tools and experience to protect data

1.Just USER . (In that case, you're both right and I'm a trolling now)
2.A company that processes data.(In that case, you're trolling me.)
3.User and company must protect the data together (Lack of 2FA is just one of the elements . Both sides comes a cropper).



 I just wanted to show that the user should not have 100% foult for such an event.