CISO Liability and Lawsuits in the Face of a Crisis, Part 1

CISO Liability and Lawsuits in the Face of a Crisis, Part 1

December 09, 2020

The CISO’s worst nightmare

When an organization becomes the victim of a data breach, company leadership — and the media — often panic about business continuity, brand and reputation damage, stock value losses, and lawsuits. Indeed, a pressing worry that has emerged over the past several years is the legal liability for the security team, especially for the chief information security officer (CISO), if and when there is a breach.

Up until recently, it was rare for CISOs to get into legal trouble resulting from a cyberattack. Company leadership might look to the CISO as a scapegoat and terminate them, but that would be the end of the repercussions. Today’s growing legal landscape has led to companies and even individuals in those organizations to increasingly face litigation following a breach. Large scale hacks, such as the one at Target in 2013 and Sony in 2014, both resulted in suits that cost the companies hundreds of millions of dollars and implicated the organizations’ directors. Shortly following these incidents, the chief information officer (CIO) of the U.S. Office of Personnel Management (OPM) was also named in a lawsuit after a massive breach of government computer systems led to the exposure of 21.5 million people’s personal data.

Customers and other stakeholders are now more keenly aware of an organization’s security posture and are looking to be compensated in case of a breach — and the CISO can sometimes end up paying the price. Lawsuits are likely a lasting trend as the cyberthreat landscape grows and the consequences of breaches increase. The question then becomes how can CISOs escape or reduce their legal exposure following a security crisis?

Understanding the role of due diligence and defensibility for a CISO and their organization

Before we offer some pointers on due diligence and defensibility, I will state the obvious — I am not a lawyer and the following is not legal advice, but rather some observations I made during my career and through countless discussions with CISOs. It seems like due diligence and defensibility are top of mind if/when organizations get breached. It is important to remember that the expected level of due diligence is not absolute in nature, and will look different across different organizations. For example, the risk posture and risk appetite of a mid-market organization building widgets is going to be vastly different from the one of a Fortune 500 financial institution, and therefore expected “due diligence” in security efforts is expected to be vastly different as well. A robust risk management approach will dictate the level of due diligence that each organization and each CISO needs to undertake.

Due diligence is tightly tied to the concept of defensibility. This is true for an organization, but again also for its CISO. Is your organization’s security program “defensible”? And are the CISO’s behavior and actions defensible? Assume that you are the CISO of an organization that faced a cyberattack, that a breach is declared and that the whole story ends up on the front page of the Wall Street Journal. What would you answer to the following questions:

  • Do the protocols I have implemented align with applicable laws and industry standards?
  • Can I justify/defend myself?
  • Have my actions and behavior been defensible prior to, during and after the incident?
  • How do my actions benchmark against the required level of due diligence, against the needs of the business, against accepted best practices, and against similar organizations that suffered a breach?”

These are important questions that you need to ask yourself before suffering a breach. In my next post, “CISO Liability and Lawsuits in the Face of a Crisis, Part 2”, I will talk about some common steps that you can take as a current or prospective CISO.

Editor’s note: This post was first published on

Recent Security Operations Center Articles
US, Australia Security Teams are Behind the Times in Gender Pay Equality

The Exabeam 2020 Cybersecurity Professionals Salary Skills a...

CISO Liability and Lawsuits in the Face of a Crisis, Part 2

Simple steps any current or aspiring CISO should take prior ...

‘Twas the Night Before the Pen Test

We’re taking a break from our regularly-scheduled programm...

Escaping Dante’s SOC Inferno: Gluttony and the SOC Skills Shortage

Gluttony is having a profound effect on our ability to do ou...

Escaping Dante’s SOC Inferno: The Violence of Destructive Metrics

Welcome to our third post in the Dante’s SOC Inferno serie...

Recent Information Security Articles
Advanced Analytics Use Case: Detecting Compromised Credentials 

Stolen credentials have been a persistent problem, and organ...

Outcomes Above All: Helping Security Teams Outsmart the Odds

Author: Sherry Lowe, Chief Marketing Officer The world’s g...

Ethical Hacking: Why It’s Important & What Makes a Good Hacker

What Is ethical hacking? Ethical hacking is a practice where...

Understanding Cloud DLP: Key Features and Best Practices

Cloud DLP enables organizations to protect data residing in ...

How Lineas, Europe’s Largest Private Rail Freight Operator Found the Right Cybersecurity Tool

Vital infrastructure has become an area of concern for cyber...

What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

Learn what an insider threat is and how they can hurt an org...