Executive Responsibility. According to a
survey of 200 directors at publicly traded companies, four in 10 directors believe a CEO should “take the rap” for a data breach. To date, CEOs of high-profile companies have not been fired following a breach, but chief information officers and technology executives have lost their positions.
Beth Jacob, the former Chief Information Officer at Target, resigned, and two
top technology officers at the University of Pittsburgh Medical Center left months after the medical center’s announcement of a data breach affecting up to 62,000 employee records. To the best of our knowledge, no executives have been held personally liable for data breaches, but like boards, they are taking notice of the risk. Because executives play a large part in deciding where resources are spent, many are
increasing their IT budgets and/or outsourcing IT in response to increasing cybersecurity risks.
IT Responsibility. It’s really easy to point the finger at an employer’s information technology department when a data breach occurs, and as mentioned above, heads have rolled because organizations have done just that. Certainly, the segregation of data and technological security systems falls squarely within an IT department’s area of expertise. As the federal
Office of Personnel Management knows, however, the amount of
support and resources given to IT by executives and the attention that all individuals within an organization give to IT’s warnings also play a part.
Manager Responsibility. Managers certainly have a role to play in ensuring that their organization does not suffer a data breach. Understanding, communicating, and enforcing security policies and practices are often a critical part of a manager’s job. As the
Astros are learning the hard way, managers need to make sure, for example, that employees change passwords frequently and keep their passwords private to help protect sensitive data. Because they have day-to-day oversight of employees, managers represent the front line of cybersecurity. While not likely to be held personally liable for damages caused by a data breach, managers may be held responsible by their employers for failing to do an important part of their job, and may be subject to discipline or discharge.
Employee Responsibility. Despite protective measures put in place by corporate boards, executives, IT, and managers, data breaches continue to occur and accelerate, and employees are the source of the majority of those breaches. According to industry group CompTIA,
52 percent of data breaches are the result of human error. Failure to understand the nature and seriousness of the threat, combined with general carelessness, results in employees’ failure to follow security policies. Phishing scams, Trojan horses, and other social engineering tactics can cause a single employee to be the source of a data breach. All employees need to be
trained and vigilant about cybersecurity issues. Like managers, employees are not likely to face legal liability for the damage caused by a security breach, but they could well face discipline or discharge for failure to abide by their employer’s policies.
Ultimately, cybersecurity is everyone’s responsibility. In speaking of the recent government hack,
House of Representatives Oversight Committee Chairman Jason Chaffetz said, “OPM’s data security posture was akin to leaving all your doors open and windows unlocked and hoping nobody would walk in and take the information.” Employers need to educate all employees, as well as board members and business partners, to recognize their responsibilities and avoid risk.