Friday, June 19, 2015

Cybersecurity: Where Does the Buck Stop?

Over the last few months, we’ve been talking about cybersecurity issues for employers.  We’ve discussed the responsibilities and risks associated with personally identifiable information and the wave of lawsuits resulting from data breaches.  With cyberattacks and internal data breaches topping the list of workplace fears, cybersecurity has never been a hotter topic.  More and more employers – including the U.S. Government have experienced such an attack.  It’s time to start thinking about who in your organization has responsibility for cybersecurity, and who senior management and the courts will deem responsible if security fails.

Board of Directors Responsibility.  U.S. government regulators point the finger at corporate board members as the individuals ultimately responsible for keeping corporate data (including personnel and consumer data) safe.  As the U.S. government recovers from one of the largest personnel data breaches in history, it may be difficult to swallow federal guidance, given allegations of “gross negligence” and neglect of the government’s own systems by members of Congress and other observers. That said, corporate boards and individual board members have historically been responsible, for corporate inaction or negligence if it occurs  as a result of a breach of the Board’s fiduciary duties.  Boards are taking notice of their responsibility for cybersecurity, and cyber issues have been a top agenda item for many corporate boards.

Executive Responsibility.  According to a survey of 200 directors at publicly traded companies, four in 10 directors believe a CEO should “take the rap” for a data breach.  To date, CEOs of high-profile companies have not been fired following a breach, but chief information officers and technology executives have lost their positions.  Beth Jacob, the former Chief Information Officer at Target, resigned, and two top technology officers at the University of Pittsburgh Medical Center left months after the medical center’s announcement of a data breach affecting up to 62,000 employee records.  To the best of our knowledge, no executives have been held personally liable for data breaches, but like boards, they are taking notice of the risk.  Because executives play a large part in deciding where resources are spent, many are increasing their IT budgets and/or outsourcing IT in response to increasing cybersecurity risks.

IT Responsibility.  It’s really easy to point the finger at an employer’s information technology department when a data breach occurs, and as mentioned above, heads have rolled because organizations have done just that.  Certainly, the segregation of data and technological security systems falls squarely within an IT department’s area of expertise.  As the federal Office of Personnel Management knows, however, the amount of support and resources given to IT by executives and the attention that all individuals within an organization give to IT’s warnings also play a part. 

Manager Responsibility.  Managers certainly have a role to play in ensuring that their organization does not suffer a data breach. Understanding, communicating, and enforcing security policies and practices are often a critical part of a manager’s job.  As the Astros are learning the hard way, managers need to make sure, for example, that employees change passwords frequently and keep their passwords private to help protect sensitive data.  Because they have day-to-day oversight of employees, managers represent the front line of cybersecurity. While not likely to be held personally liable for damages caused by a data breach, managers may be held responsible by their employers for failing to do an important part of their job, and may be subject to discipline or discharge.

Employee Responsibility. Despite protective measures put in place by corporate boards, executives, IT, and managers, data breaches continue to occur and accelerate, and employees are the source of the majority of those breaches.  According to industry group CompTIA, 52 percent of data breaches are the result of human error. Failure to understand the nature and seriousness of the threat, combined with general carelessness, results in employees’ failure to follow security policies. Phishing scams, Trojan horses, and other social engineering tactics can cause a single employee to be the source of a data breach.  All employees need to be trained and vigilant about cybersecurity issues.  Like managers, employees are not likely to face legal liability for the damage caused by a security breach, but they could well face discipline or discharge for failure to abide by their employer’s policies.
Ultimately, cybersecurity is everyone’s responsibility. In speaking of the recent government hack, House of Representatives Oversight Committee Chairman Jason Chaffetz said, “OPM’s data security posture was akin to leaving all your doors open and windows unlocked and hoping nobody would walk in and take the information.” Employers need to educate all employees, as well as board members and business partners, to recognize their responsibilities and avoid risk.

Posted by  Kate Bischoff