5 steps for avoiding personal liability risk from a data breach
A few months ago, a federal grand jury issued an indictment for the Chief Executive Officer and the Chief Legal Officer of a major technology firm. 1 The charge? An alleged scheme to bribe one or more government officials in India to ensure that they would issue a construction permit, necessary to construct a large facility housing thousands of employees. The company agreed to pay $25 million to settle charges under the Foreign Corrupt Practices Act. 2
While personal involvement in corrupt practices is a no-brainer – they could land you in jail, many compliance professionals are concerned that acts performed by others for whom they have no oversight could land them in jail. In Thomson-Reuters’ recent Cost of Compliance survey, 60% of financial services firms expect the personal liability of compliance professionals to increase. 3
What about when an oversight in data protection and security results in a massive data breach, impacting millions of data subjects? A recent survey showed that 1 in 3 data breaches resulted in the dismissal of senior non-IT professionals. 4 In a move towards personal liability for breaches, a US Senator recently proposed a law that “expands criminal liability to any corporate executive who negligently oversees a giant company causing severe harm to U.S. families. 5 What can compliance and risk executives do to mitigate risk and reduce the potential for personal liability*?
Step 1: Understand regulatory requirements for documenting and reporting compliance policies and procedures
Many regulations require documentation of the company’s plans to respond to threats and mitigate incidents prior to a breach. One example is NERC CIP’s requirement to have a Cyber Security Incident response plan(s) that “include the process to identify, classify, and respond to Cyber Security Incidents. 6 One of the largest NERC CIP fines in history was levied for violations for not identifying and categorizing assets correctly, and not including those assets in Disaster Recovery Plans or baseline configurations. 7 A comprehensive plan not only provides the foundation for risk mitigation and management but serves as a point of reference for demonstrating corporate and executive commitment to data protection and confidentiality.
Step 2: Create a plan of action for notifying authorities in the event of a breach
In the United States, all 50 states have enacted laws requiring companies to notify individuals of data breaches that involve personal information. These laws vary by state in their reporting requirements and even in their definition of personal information. There are many resources online that attempt to consolidate these requirements in a single place, making it easier for the risk and compliance professionals to quickly access this information. Additionally, some regulatory authorities such as NYDFS 8 have shorter breach reporting windows (as short as 72 hours)!
Step 3: Select and implement a risk methodology that allows you to quantify and prioritize business risk
An open methodology such as the FAIR Methodology 9 helps risk and compliance practitioners to quantify operational and cybersecurity risk. The methodology helps answer tough questions such as “How much risk do we have?” It also addresses what-if scenarios such as “Would my risk be less or more if we performed this particular mitigation action?” The results are produced in a format that makes sense financially to the board and can also be used to secure funding for future initiatives.
Step 4: Work on mitigating the highest priority risks first
Let’s face it. We all don’t have unlimited budgets. Step 3 helps organizations to implement mitigation options based on criteria such as cost-effectiveness. In other words, which activities would give me the biggest bang for the buck. Factors such as time, number of resources and other finite inputs will produce the analysis that a compliance or risk practitioner can then take further up the chain for allocating resources and funding.
Step 5: Conduct frequent compliance audits utilizing the risk assessment plan from step 3
A complete enterprise risk assessment will consider the regulatory risk faced by the organization and will highlight and prioritize regulations that pose the greatest potential for fines, penalties or reputational damage. A compliance risk mitigation plan will define the frequency at which the audits will occur and may vary by industry, geography and other factors.
Forescout will be teaming up with the FAIR Institute and stackArmor to host an insightful discussion by two CEOs who will share their perspective on the risks that CISOs and their teams need to truly understand.
* does not constitute legal advice
1 Justice Department Press release: https://www.justice.gov/opa/pr/former-president-and-former-chief-legal-officer-publicly-traded-fortune-200-technology
2 FCPA Charges. Two executives indicted: http://www.fcpablog.com/blog/2019/2/15/cognizant-pays-25-million-to-resolve-fcpa-charges-two-former.html
3 Thomson Reuters’ Cost of Compliance Survey 2019: Nothing is certain except regulatory change: https://blogs.thomsonreuters.com/answerson/cost-of-compliance-survey-2019/
4 Kaspersky survey – job loss after breach: https://www.kaspersky.com/blog/data-protection-report/23824/
5 Corporate executives must face jail time…: https://www.washingtonpost.com/opinions/elizabeth-warren-its-time-to-scare-corporate-america-straight/2019/04/02/ca464ab0-5559-11e9-8ef3-fbd41a2ce4d5_story.html?noredirect=on&utm_term=.9fc6449d90cd
7 Largest NERC CIP Fine to date: What you need to know: https://forescout.com/company/blog/largest-nerc-cip-fine-to-date/
9 The FAIR Institute – Frequently asked questions: https://www.fairinstitute.org/frequently-asked-questions