Who’s Financially Responsible for Cybersecurity Breaches?
By Kayla Matthews
As networks become less secure and the data stored on the cloud becomes more valuable, cybersecurity breaches are becoming both more expensive and more frequent. In the first six months of 2019 alone, data breaches compromised more than 4.1 billion records. Cybersecurity experts and IT workers can’t prevent every breach, but in some cases, it’s clear the appropriate steps weren’t taken to protect data. The cost of the breaches raises the question: Who should pay when a customer’s data gets stolen?
What Does the Law Say?
The current legal framework regarding data breaches isn’t particularly detailed. Beyond laws requiring disclosure of data breaches to affected customers, there are only a few laws governing who is responsible for a data breach.
Under current law, the data owners—the firm or organization that is storing user data—are responsible for data breaches and will pay any fines or fees that are the result of legal action.
The data holder—the organization that provides the cloud storage service—can’t usually be legally implicated or held responsible. If a data breach occurs, the data holder must notify the data owner, but not much else beyond that.
A data owner’s level of liability depends on what safeguards it was taking to protect user data. Failing to control network access or not encrypting user data, for example, will make a data owner more liable for the damages caused by the breach. A data owner also can be held responsible for not informing affected customers soon after a breach occurs.
Most international laws governing data privacy and breaches are similar: Both Japan’s APPI and the EU’s GDPR require companies to take measures to defend customer data and notify customers in the case of a breach.
Data Breach Finger-Pointing
There’s no disagreement cybersecurity breaches can be extraordinarily expensive and painful for a company—especially if that company doesn’t properly disclose them. But there are conflicting ideas about who should be responsible within the organization that let the breach happen.
IT and Cybersecurity Workers
As people increasingly rely on cloud storage and unsecured internet of things devices become more prolific, networks are becoming less secure. This phenomenon puts more pressure on the IT staff and cybersecurity professionals who work directly with network security. These same workers are also facing a burnout crisis as demand for cybersecurity workers grows faster than supply.
Upper management is less likely to be invested in proper security measures than IT workers, according to a report by Telstra, Australia’s largest telecommunications company. It’s easy to place the blame for a data breach on the IT department—they are, after all, the ones to implement proper security measures. But a lack of funding can hamstring the same IT department.
CEOs and Chief Information Security Officers (CISOs)
CEOs are the most likely to accept blame or resign after a major breach, especially if that breach results in millions of dollars worth of damage. See Equifax, whose CEO retired, for example, or any of the major corporate breaches that have happened over the last few years.
The CEO and CISO don’t always step down. In the case of the Capital One breach, CEO Richard Fairbank apologized but remained in his position.
Some cybersecurity experts argue that C-level leadership should take full responsibility due to the power these individuals have over both funding and company security culture. With oversight over the operations and budgets of their IT departments, CEOs and their management teams ultimately should be responsible for any lapses of judgment or holes in security that allow data breaches to happen.
The vast majority of data breaches in 2015, for example, involved unencrypted data. Big data encryption is expensive, but it’s one of the best measures against data breaches. Often, unencrypted data is not the fault of the IT department, but instead of whoever was in charge of allocating funds. The IT workers may have wanted to implement encryption, but didn’t have the money. In a situation like this, it’s hard to lay the blame on anyone besides the individual controlling the department’s purse strings.
You won’t see this line of argument as often, but some commentators place responsibility for a data breach on the customers. After all, customers do provide their information willingly to these companies for handling. And if a company’s security standards aren’t up to snuff, customers can vote with their wallets and support only the companies that protect their data.
It’s not a particularly compelling argument, however, because the only way most people learn about a company’s security practices is if something has gone amiss.
And some services—such as Equifax and other credit reporting agencies—receive and handle customer data without their customers’ express permission, so customers have no control over who has their data. And of all the people involved in a data breach, customers have the least amount of power in deciding how a company protects their data.
Who Should Be Responsible for Cybersecurity Breaches?
“The organization” isn’t an exciting answer, but it is closest to the consensus of both the law and cybersecurity experts. And the cybersecurity blame game isn’t likely to yield a more useful answer. CEOs, CISOs and IT workers all hold some of the responsibility for preventing and responding to data breaches.
And focusing exclusively on one position or team doesn’t reflect the hierarchical nature of corporations, where mistakes have broader impacts as an individual’s power increases.
For both now and in the years to come, organizations—rather than individuals—will be responsible for the damages caused by cybersecurity breaches.