The Legal Liability Dilemma: How do security leaders navigate the aftermath of breaches?

The Legal Liability Dilemma: How do security leaders navigate the aftermath of breaches?

The Legal Liability Dilemma: How do security leaders navigate the aftermath of a data breach?

In the rapid pace of today’s digital landscape, data breaches have become an unfortunate reality for organisations worldwide. As these incidents continue to rise, a growing concern among security leaders, particularly Chief Information Security Officers (CISOs), revolves around their legal liability following such breaches. Read more about the critical role of the C-Suite in data security in our recent blog. 

Recent incidents such as SolarWinds CISO and former Uber CSO being found guilty of criminal obstruction have sparked a heated debate among security leaders. 

Below, we explore the challenges faced by security leaders and the absence of clear guidance from governments and industry consensus on what constitutes “basic security”.

The Heightened Concerns of CISOs

According to a recent survey conducted by Salt Security, almost half of the CISOs expressed worry about potential personal litigation resulting from breaches. These concerns are not unexpected, given that in recent years, many security leaders bear the brunt of responsibility and blame, despite the complexity and shared nature of security challenges. Many experts argue that this practice is unfair and fails to acknowledge the broader factors involved in cybersecurity. 

Unravelling the SolarWinds and Uber Cases

The SolarWinds supply chain attack and the Uber data breach serve as a stark reminder of the legal risks faced by security leaders in the wake of a security incident. 

In the SolarWinds case, the SEC sent Wells Notices to several current and former executive offers, including the CISO, following the 2020 Sunburst supply chain attack that impacted numerous organisations and federal agencies. Despite the claims of adhering to best practices in cybersecurity, the threat of civil enforcement actions loomed over the executives. 

The Uber case also set a precedent, with the ex-CSO found guilty of obstruction and imprisonment of a felony in connection with a cover-up of a massive data breach back in 2016. He was sentenced to serve a three-year term of probation and ordered to pay a fine of $50,000 after. Such verdicts have polarised the security community, with some viewing them as justified while others perceive them as unfair.

The Absence of Clear Guidance on “Basic Security”

A major concern for CISOs is the absence of clear guidelines from governments on how to handle, respond and disclose cyberattacks.

Although laws like HIPAA and FISMA focus on privacy, there is no global consensus on the definition of fundamental security practices. The proposed SEC Rule 10 aims to establish cybersecurity risk management rules for market entities, but the timing of disclosure and penalties for non-compliance remain unclear. 

To reduce the personal litigation risks for CISOs, experts suggest establishing a mature reporting structure involving C-level leaders and board members. This approach ensures transparency and accountability, while also documenting the chain of custody in case of a data breach incident. Additionally, the responsibility for security and breach response should be distributed among various stakeholders, including boards, audit committees and cybersecurity working groups. 

While having a solid reporting structure in place and sharing the responsibility is good to have, this doesn’t prevent data loss. Certes offers a powerful data protection solution that protects sensitive information from end-to-end without impacting any other network security solutions. This way, your data remains secure even if breaches occur, offering a new level of protection for CISO’s and the C-Suite.

As the cybersecurity landscape continues to evolve, security leaders face heightened concerns about their legal liability in the aftermath of breaches. The lack of clear guidance on “basic security” further complicates the matter. Nevertheless, establishing robust reporting structures, sharing responsibilities among stakeholders and protecting your data can mitigate personal litigation risks for CISOs.

Speak to us today on how we can protect your valuable data, ensuring its classification and utmost protection across any network.