There may have been a time where cyber security was the concern of the IT department alone, but this is no longer the case. The changing landscape of cyber security – and evolving legislation that’s coming with it – leaves directors and managers alike, ultimately responsible for data breaches and the harm they cause.
In an individual fails to protect the data their organisation holds, not only is their job at risk, they may also be liable for civil damages.
Data breaches have, unfortunately, become a part of business as usual for digital enterprises. The high-speed data networks that we have all become dependent upon are not inherently secure. Fortunately, the accidental data breach is less prevalent than it used to be, but a hacker with enough time, technology and tenacity will breach conventional “prevention” technologies.
The best data security strategies combine elements of protection and prevention. Protection comes in the form of data encryption, so that in the event that prevention technologies (firewalls etc) fail, the data itself remains safe.
The impact of a “successful” breach is dependent upon how well protected your data is when it falls into unauthorised hands. Emerging data protection legislation clearly differentiates between obligations regarding notification and remediation for encrypted and unencrypted data. If your data is protected by a certified, high-assurance encryption solution…good. If it isn’t…not so good.
We have discussed the True Impact of a Data Breach in a previous article, but the risk landscape has undergone a subtle change in recent years. While headlines promising multi-million dollar or euro fines under the GDPR certainly get attention, there has been a steady increase in cases where the impact of a breach is being felt on a more personal level.
Whilst most government security regulations refer to “privacy” breaches, there are other types of data breach that may prove more damaging. Lost intellectual property (IP), business secrets and financial data may potentially have a long-term impact on business performance; affecting shareholders, employees, suppliers etc.
Ultimately, someone must carry the can for what is a fundamental process failure. You can’t just blame the tired analyst who left a laptop on the last train home any more. Data protection has emerged out of the IT closet and has a seat at the boardroom table.
As the potential impact of a breach has become more significant, extending beyond business disruption and financial penalties to long-term brand damage, there has been an increase in C-Level executive casualties.
If your organisation is big enough to have a CISO, it’s likely that the buck will stop there. However, for many organisations it is another C-Level executive that will bear responsibility for data protection. Two high-profile examples that spring to mind are Yahoo and Sony Pictures.
In Feb 2015, Amy Pascal (former Co-Chairman of Sony Pictures Entertainment) stood down; less than two months after the hacker group “Guardians of Peace” published confidential data that included a series of controversial emails from Pascal herself.
In another example, Yahoo CEO Marrisa Mayer caught a lucky break in March 2017 and kept her job, but will miss out on her bonus and potentially a stock award after her handling of two breaches back in 2013 & 2014, in which over 1 billion user records were stolen; costing the company over $350 million. The company’s top lawyer wasn’t so lucky.
The personal impact of a breach is also being felt outside the commercial world, with high-profile public-sector figures not immune. As far back as 2011, the Texas State Controller’s office fired its heads of information security and innovation and technology; following a breach that exposed personal information, including the Social Security numbers, of over 3.2 million citizens.
More recently, in August 2017, two Swedish Ministers lost their jobs after a data breach exposed sensitive data, believed to include the identities of people in the witness protection programme.
Amongst the management community, this is bound to raise more than a few eyebrows and encourage board members to become more actively engaged in the strategy surrounding data protection. Evolving legislation around the world goes beyond corporate responsibility and adds the potential for criminal prosecution in the case of negligence.
It is not just the possibility of criminal prosecution that should worry directors and managers. Civil litigation is equally worrying, and not only because of the high financial costs of a successful action. Employees, shareholders and suppliers are initiating class action based civil litigation claiming damages arising from a failure of duty of care. The burden of proof required in civil litigation is lower than in a criminal action.
In short, the reputation of your business is not the only thing on the line in the event of a breach.