BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Company Leaders Worry About Liability for Breaches

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 19 Jan 2016 18:25:15 -0700
http://www.baselinemag.com/security/company-leaders-worry-about-liability-for-breaches.html

Most officers and directors at publicly traded companies believe that
organizations should be held accountable for customer data breaches that
occur when reasonable security efforts are not made, according to a recent
survey. However, it's not clear what those reasonable efforts should entail.

"With this survey, we were thinking of the evolving issues of liability,"
says Chris Wysopal, CTO and CISO of Veracode, a provider of cloud-based
security services, which conducted the survey in conjunction with NYSE
Governance Services, a division of the New York Stock Exchange Group. "We
were starting to see cases, like with Wyndham, where the court found
Wyndham [Worldwide] guilty of negligence," for using out-of-date software
and for not putting reasonable security measures in place.

In this case, the Federal Trade Commission alleged that Wyndham Worldwide
used vulnerable out-of-date software, which led to a breach of customer
information and a resultant $10 million in fraudulent charges on consumers'
bank and debit cards. This violated Section 5 of the FTC Act. Wyndham
argued that the FTC did not have the authority to regulate businesses' data
security practices.

To look more into the issue of liability and the mindsets of corporate
directors about liability, the organizations surveyed 276 officers and
directors at publicly traded companies. The study found that 89 percent
felt regulators should hold organizations accountable when reasonable steps
to prevent consumer data breaches were not taken. Sixty-eight percent said
businesses have a corporate responsibility to be held liable by regulators,
while 21 percent said liability would force businesses to improve security.

"The key here is that while regulators should hold businesses liable,
something that regulators should do is come out with clear guidance—what is
a reasonable effort, what would be reasonable—so that [organizations] can
plan for that," says Wysopal. "That de-risks the situation."

Holding Software Providers Accountable

In addition, 90 percent of respondents felt that third-party software
providers should be held accountable for vulnerabilities found in their
packaged software. As a result of these inherent risks, 65 percent are
already planning to insert liability clauses into their third-party
contracts. Wysopal says he expects special-terms third-party agreements to
become more common—and for third-party audits to occur more frequently.

"Software is one of those things that you accept all of the risk for
operating, and the manufacturers of the software don't accept any risk,"
says Wysopal. "Because we are relying on software so much—instead of
machines, instead of people—it's becoming this big area of risk for
businesses to start to do more with."

The report also indicates that there is a significant interest in
cyber-insurance, a market that is expected to triple to approximately $7.5
billion within the next five years, according to a Reuters report.

Of those queried about cyber-insurance, 91 percent said they have it to
help cover costs related to business interruption and data restoration, and
54 percent have it to cover expenses related to reimbursement, such as for
breach notification, Payment Card Industry (PCI) fines and extortion.
Another 52 percent subscribe to employee/insider threat liability coverage,
while 35 percent have coverage to protect their organizations against lost
of sensitive data that arises from human error or software coding.

In fact, Wysopal sees both the insurance industry and the FTC as being
significant drivers in clarifying what defines reasonable efforts in the
future. He pointed out how rigorous the insurance industry is in setting
standards for everything from fire to automobile insurance, and he foresees
insurance having a similar impact in helping to define risk in the
cyber-security arena.

"For technology, insurance can help inject that concept into something that
has been kind of a Wild West," he says.

The FTC also has provided guidelines as far as cyber-security measures, but
mainly for small and medium-size businesses, according to Wysopal. Despite
this, directors and officers of large corporations continue to look for
guidance about whether they are spending too much or too little money on
cyber-security, and whether they could be held accountable for breaches.

"They don't want to underspend and be found liable," Wysopal points out,
"and they don't want to overspend and be found liable. I think they want
more clarity about what reasonable [security] is."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.
Previous By Date Next
Previous By Thread Next

Current thread: