.jpg)
Most officers and directors at publicly traded companies believe that organizations should be held accountable for customer data breaches that occur when reasonable security efforts are not made, according to a recent survey. However, it’s not clear what those reasonable efforts should entail.
“With this survey, we were thinking of the evolving issues of liability,” says Chris Wysopal, CTO and CISO of Veracode, a provider of cloud-based security services, which conducted the survey in conjunction with NYSE Governance Services, a division of the New York Stock Exchange Group. “We were starting to see cases, like with Wyndham, where the court found Wyndham [Worldwide] guilty of negligence,” for using out-of-date software and for not putting reasonable security measures in place.
In this case, the Federal Trade Commission alleged that Wyndham Worldwide used vulnerable out-of-date software, which led to a breach of customer information and a resultant $10 million in fraudulent charges on consumers’ bank and debit cards. This violated Section 5 of the FTC Act. Wyndham argued that the FTC did not have the authority to regulate businesses’ data security practices.
To look more into the issue of liability and the mindsets of corporate directors about liability, the organizations surveyed 276 officers and directors at publicly traded companies. The study found that 89 percent felt regulators should hold organizations accountable when reasonable steps to prevent consumer data breaches were not taken. Sixty-eight percent said businesses have a corporate responsibility to be held liable by regulators, while 21 percent said liability would force businesses to improve security.
“The key here is that while regulators should hold businesses liable, something that regulators should do is come out with clear guidance—what is a reasonable effort, what would be reasonable—so that [organizations] can plan for that,” says Wysopal. “That de-risks the situation.”
Holding Software Providers Accountable
In addition, 90 percent of respondents felt that third-party software providers should be held accountable for vulnerabilities found in their packaged software. As a result of these inherent risks, 65 percent are already planning to insert liability clauses into their third-party contracts. Wysopal says he expects special-terms third-party agreements to become more common—and for third-party audits to occur more frequently.
“Software is one of those things that you accept all of the risk for operating, and the manufacturers of the software don’t accept any risk,” says Wysopal. “Because we are relying on software so much—instead of machines, instead of people—it’s becoming this big area of risk for businesses to start to do more with.”
The report also indicates that there is a significant interest in cyber-insurance, a market that is expected to triple to approximately $7.5 billion within the next five years, according to a Reuters report.
Of those queried about cyber-insurance, 91 percent said they have it to help cover costs related to business interruption and data restoration, and 54 percent have it to cover expenses related to reimbursement, such as for breach notification, Payment Card Industry (PCI) fines and extortion. Another 52 percent subscribe to employee/insider threat liability coverage, while 35 percent have coverage to protect their organizations against lost of sensitive data that arises from human error or software coding.
In fact, Wysopal sees both the insurance industry and the FTC as being significant drivers in clarifying what defines reasonable efforts in the future. He pointed out how rigorous the insurance industry is in setting standards for everything from fire to automobile insurance, and he foresees insurance having a similar impact in helping to define risk in the cyber-security arena.
“For technology, insurance can help inject that concept into something that has been kind of a Wild West,” he says.
The FTC also has provided guidelines as far as cyber-security measures, but mainly for small and medium-size businesses, according to Wysopal. Despite this, directors and officers of large corporations continue to look for guidance about whether they are spending too much or too little money on cyber-security, and whether they could be held accountable for breaches.
“They don’t want to underspend and be found liable,” Wysopal points out, “and they don’t want to overspend and be found liable. I think they want more clarity about what reasonable [security] is.”
