CISO Liability and Lawsuits in the Face of a Crisis, Part 1

When an organization becomes the victim of a data breach, company leadership — and the media — often panic about business continuity, brand and reputation damage, stock value losses, and lawsuits. Indeed, a pressing worry that has emerged over the past several years is the legal liability for the security team, especially for the chief information security officer (CISO), if and when there is a breach.

Up until recently, it was rare for CISOs to get into legal trouble resulting from a cyberattack. Company leadership might look to the CISO as a scapegoat and terminate them, but that would be the end of the repercussions. Today’s growing legal landscape has led to companies and even individuals in those organizations to increasingly face litigation following a breach. Large scale hacks, such as the one at Target in 2013 and Sony in 2014, both resulted in suits that cost the companies hundreds of millions of dollars and implicated the organizations’ directors. Shortly following these incidents, the chief information officer (CIO) of the U.S. Office of Personnel Management (OPM) was also named in a lawsuit after a massive breach of government computer systems led to the exposure of 21.5 million people’s personal data.

Customers and other stakeholders are now more keenly aware of an organization’s security posture and are looking to be compensated in case of a breach — and the CISO can sometimes end up paying the price. Lawsuits are likely a lasting trend as the cyberthreat landscape grows and the consequences of breaches increase. The question then becomes how can CISOs escape or reduce their legal exposure following a security crisis?

Understanding the role of due diligence and defensibility for a CISO and their organization

Before we offer some pointers on due diligence and defensibility, I will state the obvious — I am not a lawyer and the following is not legal advice, but rather some observations I made during my career and through countless discussions with CISOs. It seems like due diligence and defensibility are top of mind if/when organizations get breached. It is important to remember that the expected level of due diligence is not absolute in nature, and will look different across different organizations. For example, the risk posture and risk appetite of a mid-market organization building widgets is going to be vastly different from the one of a Fortune 500 financial institution, and therefore expected “due diligence” in security efforts is expected to be vastly different as well. A robust risk management approach will dictate the level of due diligence that each organization and each CISO needs to undertake.

Due diligence is tightly tied to the concept of defensibility. This is true for an organization, but again also for its CISO. Is your organization’s security program “defensible”? And are the CISO’s behavior and actions defensible? Assume that you are the CISO of an organization that faced a cyberattack, that a breach is declared and that the whole story ends up on the front page of the Wall Street Journal. What would you answer to the following questions:

• Do the protocols I have implemented align with applicable laws and industry standards?
• Can I justify/defend myself?
• Have my actions and behavior been defensible prior to, during and after the incident?
• How do my actions benchmark against the required level of due diligence, against the needs of the business, against accepted best practices, and against similar organizations that suffered a breach?”

These are important questions that you need to ask yourself before suffering a breach. In my next post, “CISO Liability and Lawsuits in the Face of a Crisis, Part 2”, I will talk about some common steps that you can take as a current or prospective CISO.

Editor’s note: This post was first published on Medium.com.