Legal and IT experts warn executives, and both nonprofit and corporate boards, to prepare for increasing liability being placed on their shoulders for cybersecurity breaches. Bodies such as the Securities and Exchange Commission have repeatedly called on business leaders to take charge of their network security controls and report potential breaches much more promptly. However, it has largely been left to the state level to impose regulatory pressure on these mandates.
This may change, even as states begin to directly penalize directors for data breaches. The SEC is taking a greater responsibility for information security best practices, and some independent institutions believe that the federal level as a whole should be enforcing more stringent breach disclosure requirements. The momentum is building for legislation as comprehensive as the EU’s GDPR to be implemented in the US, and any form that law takes will likely be aimed at regulating the security role of leadership positions.
How Executive Practices Affect Network Security
All employees are cybersecurity liabilities, but executives are the most valuable targets of any hacker. Whether for corporate espionage, political objectives or simple theft, business leaders represent the best opportunity for unprecedented data access many bad actors seek. C-level officers, depending on their exact position, can provide a gateway to finance, operational, engineering, human resource and many other types of confidential information that can be profitable for many types of cybercriminals.
Director Liability for Data Breaches
A growing number of public and private organizations are insisting that business leaders and corporate boards take greater control over cyber risk monitoring. The impact of network security complacency has become readily apparent to observers, with breach scandal after breach scandal demonstrating that data exposure brings considerable costs. Whether to comply with present or future government regulations, industry best practices, or maintain consumer trust, stakeholders are going to continue demanding that executives prove cybersecurity is being taken seriously.
Regulating C-Level Cybersecurity Compliance
Every US state and almost every populated territory has some form of data breach notification law on the books. Just as with other widespread regulations, such as sales tax and gun laws, the exact requirements can vary from state to state but all create the basic obligation for protecting personal consumer information (AKA personal identifiable information or PII). Of course, the discrepancies between jurisdictions and lack of united federal oversight has allowed some companies to attempt to challenge the interpretation of their liability when it comes to breaches originating with third parties.
As can be seen in other cases, however, this has only been allowed to fly when businesses such as Monster explicitly state the data will be in someone else’s hands. This is a loophole that regulations such as GDPR do not allow, and also does not protect against consumer backlash or the actual consequences of these breaches. If and when federal agencies begin implementing universal data breach disclosure laws, executive leadership will likely be directly tasked with demonstrating security compliance.
Enforce Cybersecurity from the Bottom Up
Cybersecurity compliance and even just general network protection requires strengthening your human element. Educating yourself as well as your employees on what types of regulations and threats to expect goes a long way towards ensuring you avoid the consequences from either.
Download SWK’s white paper on global IT security compliance to learn what regulations to watch for, and how to prepare to face them.