Data Breach Fallout: Do CISOs Need Legal Protection?

Since the security executive is on the hot seat after a data breach, some industry experts suggest CISOs get themselves some form of liability protection. The downside is that such protection could shield those who deserve the blame for an incident.

» View Article

READER FEEDBACK
Preview
nellwal
Thu, 2008-07-31 11:41

It's a sad state of affairs that its come to this. I'm not sure what the liability will protect from - civil action against the individual, or some sort of monetary protection in case the individual is terminated. http://whistlersear.wordpress.com

reply
Buckeroo Banzai
Fri, 2008-08-01 00:36

Having had to hire an employment lawyer (under retainer), secure a safety deposit box, store encrypted data on a hard drive in the box and in an out of state location in a safe while serving as a CISO for a $3B firm, I'd say that private insurance is warranted to protect CISO's not from outside prosecution but from inside persecution.

reply
Anonymous
Fri, 2008-08-01 15:50

Buckeroo Banzai, you should contact me at hate.spam@mac.com. As a former CISO myself, I hear you loud and clear.

This article was good and timely. I have heard from many CSOs and CISO that have been retaliated against after "issues" have occurred in their former organizations. The sad thing about this is the role is turning into a place to focus blame if something happens, kinda like a CIO insurance policy. Insurance should be there for the internal side mostly.

Another sad note is that many law firms have not risen to the challenge in understanding employment, information technology and regulatory law as a whole.

reply
George Moraetes
Sun, 2008-08-03 12:15

It really goes far deeper than that where we as CISOs or CSOs must think like an attorney to protect ourselves and our companies we work for. I have this coverage much like an errors and omissions policy would cover corporate executive officers and independent practitioners like myself. Some corporations do extend this down to the CSO but many do not, ask your employer's HR department if this is the case.

The challenge with the executive culture is get them to "buy in" to the fact security is a vital and visionary part of the business. Some do not want to sign off on the risk even after you explained to them the consequences if they do not put the effort to mitigate the risk. So you document the fact to cover yourself and lose your job because of it or they make your job more difficult enough to resign. Most think of security as an overhead expense often times the CISO reports to the CIO instead of being a peer. The CISO position becomes nothing more than a figurehead to the company doing everything from soup to nuts. Some cultures are very proactive and embrace and value of our responsibilities within the organization. The point is if the CEO and top management do not embrace information security what makes you think the rest of the organization will also? It is an uphill battle for most that ends up in frustration, a dead end job and I can give you countless organizations this is the case right now where the role of security is buried somewhere within the confines of IT and not at the visible executive forefront where it belongs. And when a breach occurs even with the best iron clad security policies and procedures in place, oh yes the CISO often is the fall guy.

I have studied security breaches that went into litigation and these have had far reaching impact to organizations. Here is one:

Company: Choicepoint

  • FTC charged that ChoicePoint violated the FTC Act by making false and misleading statements about its privacy policies

  • FTC charged that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by furnishing consumer reports – credit histories – to subscribers who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to verify both their identities and how they intended to use the information.
  • ChoicePoint paid $10 million in civil penalties and $5 million in consumer redress

And yet another:

Company: Guidance Software

  • FTC alleged that Guidance violated FTC Act by failing to protect sensitive information by:

  • failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable Web-based attacks, such as structured query language injection attacks;
    failing to implement simple, low-cost, and readily available defenses to such attacks.

  • storing in clear, readable text network administrator credentials, such as user name and password, that facilitated access to credit card information stored on the network;
    failing to use readily available security measures to monitor and limit access from the corporate network to the Internet.

  • failing to employ measures to detect unauthorized access to consumers’ credit card information.

The legal cases are replete with security breach litigations costing corporations millions if not billions. This is why I am an advocate for CISOs to protect themselves

Anyone is welcome to contact me.

George Moraetes, CISM
Information Security Executive and Enterprise Architect
Web: http://www.moraetes.com
Linkedin: http://www.linkedin.com/in/moraetes

reply
Vosgtc
Fri, 2008-08-01 13:45

www.GreatLegalHelp.com/bg3

reply
Anonymous
Fri, 2008-08-01 16:32

We had a similar problem in our organization (an association of IT management professionals). Nothing was commercially available to provide our members with any form of protection.

Eventually, we went directly to the insurance carriers and had them create a product specifically for us. Not exactly an easy path for many companies but the need for it definitely exists.

reply
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.