The compromise of personal information is becoming a weekly if not daily headline. The general public is probably under the illusion that the larger the company the tighter the security. In fact, the evidence shows that big businesses is not any more secure then small businesses given the breaches at Facebook, Panera Bread, TicketFly, MyHeritage, Under Amour, Capital One… all household names. These are just of few of the 10 biggest breaches in the last 12 months. Of course, no one can or should forget Equifax and Yahoo. It would be hard to imagine that with this short list, that there isn’t someone you know (or yourself for that matter) that wasn’t affected by one of these breaches.
No company wants to suffer a cyber breach, and even less so, a lawsuit following such a violation. However by the actions or inactions of some companies and their executive leadership, a reasonable person could conclude that some companies and their officers and directors simply want to get sued. The most recent cyber attack at CapitalOne is yet another breach that affects the American public; 100 million people reaching back as far as 14 years ago! The data compromised included social security, zip codes, phone numbers, addresses, credit scores and the list goes on. The days of making sure YOU keep your personal information private are gone. The days of making sure companies keep your data private is NOW!
When and how will corporate America and their executives, begin to take a serious look at their culpability and liability in these breaches? That, is the million-dollar, or multi-billion dollar question?
The law firm of Morgan and Morgan has filed a lawsuit alleging that CapitalOne failed to take “reasonable care” to secure sensitive information belonging to its customers. That’s clear enough and probably correct. Only time will tell. However, it is what the Morgan and Morgan attorney John Yanchunis went on to say that should send chills down the spine of every company executive and director in America.
“Capital One’s tagline is ‘What’s in your wallet?’ Well, now we know the answer—for 100-million people—is a hacker from Seattle. Like so many others, Capital One knew the risks of a security breach and, we allege, did not take the proper steps to protect the personal information applicants and customers trusted the company to safeguard. You’d think with one data breach after another, companies would wise up and take responsibility for the data it collects from consumers, but unfortunately, they continue to shirk that responsibility. We will hold Capital One—and every company that fails to protect consumers’ data—accountable for the harm and disruption they cause to people’s lives until they begin to take adequate precautions.”
So, Morgan and Morgan has thrown down the gauntlet. They say they will hold every company, executive leadership and board of directors accountable for cyber security breaches.
When cybersecurity experts are asked, the question isn’t if, but rather when your company will be breached. So, when Morgan and Morgan, or any other law firm comes knocking, how on earth does a company, its officers and directors, prove that they have taken reasonable care? What do they mean by adequate precautions? Furthermore, what is the true cost of a breach and the subsequent lawsuits to the company’s reputation and shareholder value?
“The socioeconomic ramifications of a single cyber-attack are extensive. These include financial harm, government investigations, regulatory fines, public backlash, negative industry reputation, and even shareholder lawsuits. Given that cybercrime and data-based terrorism are an increasingly prevalent aspect of digital life, all companies that operate in critical infrastructure industries should exercise responsible institutional governance. Fortunately, they can achieve this by deploying DHS-approved cybersecurity programs to protect their reputation and limit the potentially devastating effects of cyber-attacks.”
If executive leadership is not driving cyber security through company policy, security procedures and training of its people, their liability is almost incalculable.
The common denominator in almost all of the aforementioned breaches was a failure of policy, people and process – not so much the technology. If executive leadership is not driving cyber security through company policy, security procedures and training of its people, their liability is almost incalculable. So, what can be done to secure a company and its sensitive information as well as enterprises on board with the people, policy and procedure best practices needed to secure their organizations?
The government has done good work in support of commercial enterprise security, largely found in its development of the National Institute of Science and Technologies (NIST) Cyber Security Framework (CSF) and its’ siblings. The NIST CSF’s status as a de facto global benchmark justifies the requirement of its use by all federal agencies. Already, most enlightened commercial enterprises, large and small, have made the NIST CSF the gold standard for cyber maturity. To add to the incentives for use of the NIST CSF, in 2004, Congress passed the SAFETY Act. It provides protections for companies and its officers and directors, including immunity from third party actions if a SAFETY Act designated product is utilized in support of NIST-based cyber maturity and resilience.
Many CEO’s and board of directors talk a good game, but it is time they walk the walk when it comes to cyber risk and cyber resilience. Cyber security must be front and center to the strategy and business. To not do so continues to put the American public and their personal information at risk as well as putting their company stakeholders at risk.
In short, to help shore-up cybersecurity and to prove that corporate officers and directors took the proper duty of care, organizations large and small must implement the SAFETY Act approved NIST CSF and its siblings like FFIEC CAT (for financial institutions like Capital One). Electing not to do so would certainly provide evidence that the proper duty of care was not taken.