Beyond the compromise of valuable information, loss of revenues and damage to brand reputation, data breaches can pose a threat to the careers of security professionals involved: witness the sudden departures of both the CEO and the CIO of Target after last year's compromise of 40 million customers' credit cards.
While experts say there are no laws to hold CEOs, CIOs and CISOs personally responsible for damage done when networks are hacked, boards of director can use their power to get rid of those they blame, and there's not much security execs can do about that.
+ Also on Network World: Survey: Cybersecurity pros endorse data breach notification rules |Worst security breaches of the year 2014: Sony tops the list +
There are laws, though, that they should worry about because they affect the liability of the company as a whole for damages resulting from data loss, so these laws should be taken into consideration when designing defenses to thwart hacks, says Lisa Sotto, a New York attorney with Hunton & Williams. Customers affected by breaches bring lawsuits, and shareholders file suits that blame corporate leadership for falling stock prices, she says, factors that have to be juggled by the person charged with keeping data safe.
The trouble is that many of the relevant laws use general wording that has yet to be clarified by court decisions, making the task more difficult. "The CISO is the hardest job in the company today because you have little legal guidance while facing an increasing barrage of attacks from the outside," she says. "The environment changes on a dime."
Lisa Sotto, a New York attorney with Hunton & Williams
Contributing to the problem is the 100-year-old Federal Trade Commission Act, which has been revised and modified over the years. One provision of the law written before hacking existed is being called on to prosecute companies that fall victim to data theft, says Jason Straight, senior vice president and chief privacy officer for UnitedLex, a legal and technology consultancy.
The Federal Trade Commission uses the provision that outlaws unfair or deceptive acts or practices in or affecting commerce.'' It applies the language because it says businesses imply they will protect customers' information then don't.
The FTC has won more than 50 settlements from companies it charged with failing to adequately protect customer information they collect. Wyndham Hotels was one of the companies the FTC went after, but that is fighting back. There won't be a court ruling that might clarify the law, though. Last fall a federal judge turned the case over to a mediator to work out an agreement. Whatever that decision is won't have an effect on how the law is interpreted.
The standard the FTC says it uses is "a company's data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities."
It says it "does not require perfect security; reasonable and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law."
Settling with the FTC, though, can be burdensome. Companies that sign consent decrees with the FTC to settle charges are saddled with having their security practices assessed by the FTC 10 times, once every two years. "You are married to the FTC for 20 years," Sotto says. There is no monetary penalty unless there is a second offense, and then they can be $16,000 per day per violation.
Individual states such as Massachusetts, California and Nevada have data-protection statutes that also call for measures that are "reasonable" and "appropriate," she says. "It's not fair to say those are weasel words. It's difficult to mandate reasonable standards."
There are many attempts to set standards to protect data. For example, the Graham Leach Bliley Act requires written information security programs spelling out administrative, physical and technological safeguards to protect customer information. "It's that vague," she says.
Beyond laws, regulations governing various industries also come into play by demanding compliance with often frustratingly vague requirements, she says.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires administrative, physical and technological safeguards, and tries to spell them out. The downside is they were written in the early 2000s. "They're ancient history," she says, but they are required by law, so businesses are forced to meet them despite newer defenses created in the meantime that might be better to protect their current environment. "In a nanosecond it can change."
HIPAA allows up to $50,000 sanctions per incident for willful neglect by the entity that suffers a breach, Straight says. The problem is that willful neglect has an unclear definition, so it's hard to know. Penalties can be more severe and include prison terms. "It's very difficult for federal regulators to provide specific information on what you need to do to fulfill regulators' requests," Straight says.
Terminology is vague enough to begin with such as requiring "reasonable efforts" and "appropriate security programs" to keep data safe but what that means in practice can change. "It's a very unsettled time" he says.
The credit card industry has its own standards known as payment card industry data security standard (PCI DSS). As a practical matter, being PCI compliant doesn't help, Straight says. "That's the joke in the security industry no company that's compliant with PCI DSS has ever been breached because a re-audit finds they were not complaint at the time of the breach," he says. I'm not aware of any that's been certified compliant at the time of a breach."
Corporate security pros have to worry about not only whether the defenses they create meet industry standards, but also whether they adequately defend information on the network, says Torsten George, a vice president for security firm Agiliance. Increasingly that includes whether the defenses withstand legal scrutiny of class-action lawsuits brought by those whose information becomes compromised.
Even as the consequences for corporate data breaches get stiffer and stiffer it is accepted as inevitable that all business networks will be breached eventually, putting executives in charge of protecting these networks in a pickle.
"Yes you will get breached even if you have a definite in-depth strategy," says George. "This is a reality nowadays. There is no 100% protection."
In order to survive the scrutiny of regulators, other enforcement agencies and the courts, security pros should make sure their defenses go beyond merely following standards by rote, Straight recommends. Ask, Am I actually protecting the information I should protect?'" he says.
Structurally, security officers such as CSOs shouldn't report to the CIO because they have conflicting duties, he says. The CIO is responsible for design of networks and ensuring uptime for information to be used. CSOs' job includes restricting that access.
Corporate security execs should carefully document the defenses they do put in place. "No matter what we do at some point there's going to be intense scrutiny on what we do. We'll have to sit in front of our colleagues and explain how the security program is adequate," Straight says.
Despite the best efforts, hassles with the law will become a long-term nightmare for companies that suffer loss of customer data. "Technical remediation is relatively straight forward," Straight says, "legal fallout will take years."