Beyond the compromise of valuable information, loss of revenues and damage to brand reputation, data breaches can pose a threat to the careers of security professionals involved: witness the sudden departures of both the CEO and the CIO of Target after last year's compromise of 40 million customers' credit cards.
While experts say there are no laws to hold CEOs, CIOs and CISOs personally responsible for damage done when networks are hacked, boards of director can use their power to get rid of those they blame, and there's not much security execs can do about that.
There are laws, though, that they should worry about because they affect the liability of the company as a whole for damages resulting from data loss, so these laws should be taken into consideration when designing defenses to thwart hacks, says Lisa Sotto, a New York attorney with Hunton & Williams. Customers affected by breaches bring lawsuits, and shareholders file suits that blame corporate leadership for falling stock prices, she says, factors that have to be juggled by the person charged with keeping data safe.
The trouble is that many of the relevant laws use general wording that has yet to be clarified by court decisions, making the task more difficult. "The CISO is the hardest job in the company today because you have little legal guidance while facing an increasing barrage of attacks from the outside," she says. "The environment changes on a dime."
Contributing to the problem is the 100-year-old Federal Trade Commission Act, which has been revised and modified over the years. One provision of the law written before hacking existed is being called on to prosecute companies that fall victim to data theft, says Jason Straight, senior vice president and chief privacy officer for UnitedLex, a legal and technology consultancy.
The Federal Trade Commission uses the provision that outlaws unfair or deceptive acts or practices in or affecting commerce.'' It applies the language because it says businesses imply they will protect customers' information then don't.
The FTC has won more than 50 settlements from companies it charged with failing to adequately protect customer information they collect. Wyndham Hotels was one of the companies the FTC went after, but that is fighting back. There won't be a court ruling that might clarify the law, though. Last fall a federal judge turned the case over to a mediator to work out an agreement. Whatever that decision is won't have an effect on how the law is interpreted.
The standard the FTC says it uses is "a company's data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities."