Pointing the finger of blame over a data breach

We look at the laws and research surrounding data breaches. Should the CEO be held responsible?

You rarely go a couple of weeks without hearing about some kind of major data breach. From retail outlets to dating sites to healthcare providers, nothing is off limits for hackers in search of credit card info or personal data.

After Target was breached in late 2013, it spent months cleaning up the mess and repairing its reputation while also contending with several lawsuits. It’s currently trying to settle these cases. Either way a data breach is a huge cost both financially and for the company’s reputation but ultimately, who is responsible?

According to a recent study conducted by the New York Stock Exchange and security firm Veracode, many corporate directors feel that the CEO should be held responsible. The survey found that the CEO is often the first to be blamed, followed by the CIO and other members of the C-suite. Interestingly, the chief information security office (CISO), assuming the company has one, is listed as fourth down on the list to have the finger pointed at.

If you look at Target, this rings true. Not long after the data breach, CEO Greg Steinhafel resigned, though the brand’s failed Canadian venture was also to blame, and CIO Beth Jacob left too.

Veracode’s study says that placing the blame on those at the top of the totem pole should be a wakeup call of sorts to CEOs and they need to give more time and resources to their security staff.

A second survey, released back in March, also went to and fro on who in a company should be held responsible over a cybersecurity incident. Security software company Websense conducted the survey at the London e-Crime Congress conference. Of 102 security professionals, the majority agreed that laws should compel companies to disclose any and all breaches with compensation for affected customers.

A smaller number of respondents, 16%, believed that CEOs and board members should face arrest or even imprisonment.

Websense information security and strategy officer, Neil Thacker says that this increased discussion around data breaches and security (and the repercussions) will only serve to improve things for companies and create a better culture of security.

Who should be held responsible?

“CEO is always ultimately responsible, for anything good or bad that happens in a company,” says Dejan Kosutic, infosec consultant and author at 27001Academy. “If a data breach has occurred, this means that either there was no one responsible for managing information security, or not enough investment was made in protecting the information.”

Robert Scott, managing partner at Texan technology law firm Scott & Scott LLP, disagrees with the assertion that CEOs need to bear the brunt of the blame. In some instances, nobody in the company is responsible for being the victim of a criminal act, he says.

“If someone is running a business and someone gets attacked in their parking lot, you don’t blame the CEO for that. Now if the parking lot wasn’t well lit, maybe that’s the CEO’s fault,” says Scott.

“My view is that head of security, chief security officer if the company has one, or CIO is of more direct place to focus the blame if there’s any to be had for failure to provide adequate security.”

On the other hand, by holding a CEO to blame in the end, the responsibility could force their hands in allocating more funds and resources to security staff to bolster its protection. The CISO usually does not have the authority to decide such things,” say Kosutic on how investments are allocated to protection, “and security is sometimes not even in CIOs’ domain.”

John Rampton, CEO of online invoicing platform Due.com says his company suffered a data breach in its early days while it was still trying to build up customers. “I have to take full responsibility as the CEO for this though every person on the team took their own part of responsibility,” says Rampton. “What’s more important to a business is what you’re doing about it and who’s responsible for that. Ultimately it’s the CEO as everything is under his management.”

However fining small companies could be a stretch too far. Major brands like Target and Home Depot may feel a dent in their earnings after a fine and legal costs but they will eventually recover. For a small company or startup, a fine can be the death knell.

“[For] a startup like us, it would have killed us had we been fined,” says Rampton. “How a [company] handles a security breach should determine the fine or punishment.”

A company that suffers a data breach should be punished if they are not doing what is commercially reasonable, adds Bob West, chief trust officer at cloud security company CipherCloud. “For example, the fact that banks get robbed doesn’t mean customers sue them every time a robbery occurs,” says West. “In a similar manner, if a company responds to a security breach properly and minimises the damage, they shouldn’t be punished.”

“On the other hand, those companies who aren’t making a commercially-reasonable investment in protecting themselves should be.”

A patchwork of regulations

In the wake of several high profile data breaches, many states have altered their data breach disclosure laws in a bid to compel more companies to reveal any incidents and provide ID protection services to affected customers.

On June 1, Connecticut passed new changes to its data breach laws that oblige any business to disclose its data breach to the attorney general within 90 days (reasonable exceptions can be made) and provide one year’s identity theft protection services to affected customers. A business “could face injunctive relief, restitution, attorneys’ fees and civil penalties for failure to provide reasonable notification”, a spokeswoman for the attorney general told IDG Connect.

The law was first introduced in 2012 and with mandatory disclosure more companies have reported data breaches. In 2014, 447 companies reported an incident with 445 in 2013. The year before the law was introduced a mere 10 companies reported to the attorney general’s office. The stricter laws may now force more companies to come forward.

Nevada and North Dakota, in late May, also revised their data breach notification laws to add to a growing number of states attempting to address the issue.

Robert Scott believes that the patchwork of data breach notification laws can be flawed as they differ from state to state, which has led to excessive breach notices and companies having to navigate various regulations in each state they do business. A more effective system may be a federal requirement, he says.

“Fortunately in financial services and in healthcare, we have a federal notice requirement that basically takes the place of that patchwork,” says Scott. “In other industries it’s still dealing with this patchwork of inconsistent state laws.”

“I can’t believe that we don’t have a federal law that standardises breach notification. Certainly Congress has the authority under their law making power to pass such a law. Many have been proposed but to date they have been content to allow the state to try to work it out.”

Until that time, the patchwork for managing a data breach will remain in place and companies big and small will continue to go back and forth on shouldering blame but perhaps a more unified responsibility is the best approach.

“The answer is everyone, and in today’s environment, ‘everyone’ includes the board. Cybersecurity is no longer an IT problem or security problem or a legal problem,” says Jason Straight, senior VP and chief privacy officer at business advisory company United Lex.

“Thinking about cybersecurity as a business problem that extends across the entire enterprise is a good way to begin the long-overdue process of re-examining a company’s cybersecurity posture and assessing the alignment among IT, legal, and other key business stakeholders with respect to cyber risk management.”