IT Consultants' Insight on Business Technology | NSK Inc.

Whose fault is that Data Breach?

Posted by Monica DeStefano Tue, May 09, 2017

Co Authored by:  Steven Lai

Being in a high position at a company is never easy, especially when you are the CEO and are responsible for both employee and client information. You are expected to be the visionary, the fearless leader, while bearing the burden of heavy management responsibilities.  All this, while maintaining the financial stability of the company and healthy relationships with both personnel and clientele.  

Putting out fires is a constant part of your C-level role.  You deal with the complexity of your business growth, while tackling, head on, the legality of keeping all your information secure and protected. 

executive team responsible for cyber security.jpg

A company’s C-level, executive team now face the ever growing and potentially catastrophic implications of a cyber breach.  It’s no longer just the responsibility of the IT department.     

In the event of a security breach, the direct result is a massive decline in clientele confidence, not to mention the effect on stock prices.  It’s a PR nightmare.  These days’ reputation is everything.  A cyber breach can be the non-stop express train to bankruptcy.  Not a good thing for any company.  Now, assume you are the head of that company and don’t ignore that icy chill that rolled down your spine.  As the prospect of a data breach continues to grow, the issue is no longer just a company problem.  The executive team can now be held responsible and financially liable for a data breach.  Although there have been no legal precedents set, as of yet, it’s only a matter of time for the law to catch up with technology and CEO’s are the target of ligation.  So, the cherry on top of the bankruptcy cake?  You, as the head of your company, could be sued for NOT keeping up with the times.    

A great example of this is Target. Target's database was hacked during the Christmas Season in December, 2013.  Cyber criminals hacked into Target’s customer database, gaining access to over 40 million customers’ account records.  This was a direct result of inadequate security measures.

After the incident, Target saw a dramatic slump in sales. In response to this incident, Target shareholders did not re-elect CEO Gregg Steinhafel. He was forced to resign, due to his careless approach to protecting Target’s customer credit card data.  Not only was Gregg forced to resign, ending his 35-year career with Target, but Target's CIO, Beth Jacobs, also resigned, essentially taking the fall for the breach.  The first quarter of 2014 saw an executive upheaval at Target, in addition to falling stock prices, reduced revenues and bad press buffet. 

After Gregg and Beth were forced to step down, Target hired a new chief information officer, Bob Rhodes, who is focusing efforts heavily on additional security enhancements, such as utilizing MasterCard chip-and-pin technology, an enhancement available in the consumer marketplace since 2010. 

 

target-hacked  executive team responsible for it.jpg

 

According to The Wall Street Journal, "The executive fallout from the Target breach shows the increasing importance of data security to all organizations — and that CEOs are ultimately responsible for ensuring consumers' information is protected."

A new report from security rankings provider BitSight Technologies shows healthcare CEOs, in particular, have reason to be concerned about cybersecurity. Of the four industries studied — finance, utilities, retail and healthcare and pharmaceuticals — the healthcare and pharmaceutical industry both experienced the largest number of data breaches in the past year.  To add insult to injury, they also experienced the longest average response times to security incidents.

"As governmental security regulations are increasingly more stringent, and consumers are growing less tolerant of their data being exposed, senior executives must make data security a priority. They need to spend more time understanding security protocols, devise data breach response plans, and implement preventive measures to protect sensitive data. Policies must continually evolve as governing regulations are expected to rapidly evolve to keep pace with emerging changes in cyber-criminal strategies."  said Todd Sexton the CEO of Identillect Technologies Inc.

It's now a stark reality that data security breaches are considered the responsibility of C-level management.  Incidents of data breach put every employee of a company at risk.  If we learn one thing from the fallout of the Target’s mistake, it’s that the buck stops with the most senior members of a company’s executive team.  It’s only a matter of time before those in the highest positions of authority are held legally accountable for result of a data breach.  What that means, remains to be seen.

Sources:

https://www.forbes.com/sites/ericbasu/2014/06/15/target-ceo-fired-can-you-be-fired-if-your-company-is-hacked/#28911a877c9f

https://www.forbes.com/sites/greatspeculations/2014/05/08/targets-ceo-steps-down-following-the-massive-data-breach-and-canadian-debacle/#53a5b0d92ba6

http://www.beckershospitalreview.com/healthcare-blog/who-s-ultimately-responsible-for-data-breaches-it-might-be-you.html

http://www.homelandsecuritynewswire.com/dr20150213-ceo-responsibilities-for-data-breach

Topics: Disaster Recovery, Data Security, cybersecurity, data storage, BostonIT