Cybersecurity: Where Does the Buck Stop?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/cybersecurity-where-does-the-buck-stop-83287/

Over the last few months, we’ve been talking about cybersecurity issues for
employers.  We’ve discussed the responsibilities and risks associated with
personally identifiable information and the wave of lawsuits resulting from
data breaches.  With cyberattacks and internal data breaches topping the
list of workplace fears, cybersecurity has never been a hotter topic.  More
and more employers – including the U.S. Government have experienced such an
attack.  It’s time to start thinking about who in your organization has
responsibility for cybersecurity, and who senior management and the courts
will deem responsible if security fails.

Board of Directors Responsibility.  U.S. government regulators point the
finger at corporate board members as the individuals ultimately responsible
for keeping corporate data (including personnel and consumer data) safe.
As the U.S. government recovers from one of the largest personnel data
breaches in history, it may be difficult to swallow federal guidance, given
allegations of “gross negligence” and neglect of the government’s own
systems by members of Congress and other observers. That said, corporate
boards and individual board members have historically been responsible, for
corporate inaction or negligence if it occurs  as a result of a breach of
the Board’s fiduciary duties.  Boards are taking notice of their
responsibility for cybersecurity, and cyber issues have been a top agenda
item for many corporate boards.

Executive Responsibility.  According to a survey of 200 directors at
publicly traded companies, four in 10 directors believe a CEO should “take
the rap” for a data breach.  To date, CEOs of high-profile companies have
not been fired following a breach, but chief information officers and
technology executives have lost their positions.  Beth Jacob, the former
Chief Information Officer at Target, resigned, and two top technology
officers at the University of Pittsburgh Medical Center left months after
the medical center’s announcement of a data breach affecting up to 62,000
employee records.  To the best of our knowledge, no executives have been
held personally liable for data breaches, but like boards, they are taking
notice of the risk.  Because executives play a large part in deciding where
resources are spent, many are increasing their IT budgets and/or
outsourcing IT in response to increasing cybersecurity risks.

IT Responsibility.  It’s really easy to point the finger at an employer’s
information technology department when a data breach occurs, and as
mentioned above, heads have rolled because organizations have done just
that.  Certainly, the segregation of data and technological security
systems falls squarely within an IT department’s area of expertise.  As the
federal Office of Personnel Management knows, however, the amount of
support and resources given to IT by executives and the attention that all
individuals within an organization give to IT’s warnings also play a part.

Manager Responsibility.  Managers certainly have a role to play in ensuring
that their organization does not suffer a data breach. Understanding,
communicating, and enforcing security policies and practices are often a
critical part of a manager’s job.  As the Astros are learning the hard way,
managers need to make sure, for example, that employees change passwords
frequently and keep their passwords private to help protect sensitive
data.  Because they have day-to-day oversight of employees, managers
represent the front line of cybersecurity. While not likely to be held
personally liable for damages caused by a data breach, managers may be held
responsible by their employers for failing to do an important part of their
job, and may be subject to discipline or discharge.

Employee Responsibility. Despite protective measures put in place by
corporate boards, executives, IT, and managers, data breaches continue to
occur and accelerate, and employees are the source of the majority of those
breaches.  According to industry group CompTIA, 52 percent of data breaches
are the result of human error. Failure to understand the nature and
seriousness of the threat, combined with general carelessness, results in
employees’ failure to follow security policies. Phishing scams, Trojan
horses, and other social engineering tactics can cause a single employee to
be the source of a data breach.  All employees need to be trained and
vigilant about cybersecurity issues.  Like managers, employees are not
likely to face legal liability for the damage caused by a security breach,
but they could well face discipline or discharge for failure to abide by
their employer’s policies.

Ultimately, cybersecurity is everyone’s responsibility. In speaking of the
recent government hack,House of Representatives Oversight Committee
Chairman Jason Chaffetz said, “OPM’s data security posture was akin to
leaving all your doors open and windows unlocked and hoping nobody would
walk in and take the information.” Employers need to educate all employees,
as well as board members and business partners, to recognize their
responsibilities and avoid risk.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!