Data Breach Fallout: Do CISOs Need Legal Protection?

Since the security executive is on the hot seat after a data breach, some industry experts suggest CISOs get themselves some form of liability protection. The downside is that such protection could shield those who deserve the blame for an incident

In the wake of a data breach, the company's top brass may go looking for someone to blame. If you are the security chief, chances are it's going to be you.

It doesn't matter that you warned executives repeatedly that certain technological or cultural flaws were putting the company at risk, or that you had to maintain security with a shoestring budget and little or no staff. Chances are you'll take the fall whether you deserve it or not, says George Moraetes, a Chicago-based security contractor and executive board advisor for security event management firm IdentityLogix.

He has watched as some of his CSO acquaintances were blamed for a security failure or dismissed for trying to blow the whistle over the company's security holes.

"One friend of mine, the CISO of a credit bureau, blew the whistle on a security auditor who wasn't following best practices and was making reporting discrepancies," says Moraetes, an independent consultant. "The auditor was a friend of the top brass, and the CISO was let go. I know of three others in Georgia who were fired or demoted for similar reasons."

For that reason, he believes security professionals would be wise to cover themselves with some form of legal protection, whether it's liability insurance or language in their contract that clearly places full responsibility for security decisions with the CEO.

But is liability protection appropriate for everyone? Some industry experts aren't so sure.

One big downside to the concept of liability protection is that it could end up shielding those who deserve to be on the hot seat. Rick Lawhorn, CISO for PLANIT Technology Group LLC - a technology service company whose clients range from commercial enterprises to state and local government clients - says that some arrangements simply make it easier for IT personnel to save face following an incident or keep the wraps on the real state of insecurity in their organization.

Security issues are kept in the IT family for fear that radical changes will be requested, further taxing resources in most IT shops, he notes.

"In the rare chance that a security breach occurs or is detected, ignorance, finger pointing and scapegoats emerge to divert the attention away from the security shortcomings, allowing IT to continue the facade in hopes of covering up the real problems and concerns," Lawhorn says.

For those who are concerned about being protected from unfair blame, Moraetes and Lawhorn have some advice:

Moraetes recommends security professionals get some form of protection in writing before taking a CSO job. For instance, a written contract can say that the ultimate responsibility is with the executive who ultimately signs off on the security procedures the CSO has proposed.

"Within the organization, we have to find the risk, expose it and communicate it to upper management. We have to say 'here are the steps we must take to protect ourselves' and make them sign off on it. Make the executive responsible for accepting the risk," he says. Contract or not, he said CSOs would be wise to document as much of their security program as possible, including who approved or declined a proposed procedure. [Editor's note: One might find a downside to this approach, since the executive culture might not take kindly to the fact that you're documenting their decisions. But some managers do use sign-off forms for accepting business risk.]

Meanwhile, Moraetes says, CSOs have to start brushing up on legal matters they used to be immune from - the gathering of evidence, preparing for legal depositions in the event of an incident, and so on.

"These are things CSOs don't have much experience with today," he says. "They need training on how to deal with the legalities."

Lawhorn says security professionals must familiarize themselves with all the departments and functions within their organization and plant the seed of internal control. This requires, among other things, communicating with the company lawyers.

"CISOs are faced with the internal pressure not to allow security breaches to occur as well as drive the organization to demonstrate control," he says. "It is clear that the trend emerging to offset these issues is originating from the legal side of the house. In an attempt to mitigate liabilities, many CISOs are now finding that the traditional ways of implementing security in an organization are just not working. In fact, many companies forbid the security function to have open discussions with the legal and compliance teams in order to preserve the status quo or for politics reasons."

In the final analysis, experts say, the best insurance policy for CSOs is a security program that keeps incidents from happening in the first place.

Dan Lohrmann, CISO for the State of Michigan, notes that his staff is adequately protected as long as the team is following industry and government security best practices. Besides, he says, state workers are self-insured.

"We have discussed this issue within Michigan state government and have been approached by outsiders offering breach and legal insurance protection, but we turned them down," says Lohrmann, who maintains the Lohrmann on GovSpace security blog on CSOonline. "State employees are [also] protected by the state Attorney General's Office, as long as we are performing our professional duties."

The threshold for lawsuits against the state is "gross negligence," a difficult level to prove in light of the state's security programs, he says.

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful cybersecurity companies