Beyond the compromise of valuable information, loss of revenues and damage to brand reputation, data breaches can pose a threat to the careers of security professionals involved: witness the sudden departures of both the CEO and the CIO of Target after last year’s compromise of 40 million customers’ credit cards.
While experts say there are no laws to hold CEOs, CIOs and CISOs personally responsible for damage done when networks are hacked, boards of director can use their power to get rid of those they blame, and there’s not much security execs can do about that.
There are laws, though, that they should worry about because they affect the liability of the company as a whole for damages resulting from data loss, so these laws should be taken into consideration when designing defenses to thwart hacks, says Lisa Sotto, a New York attorney with Hunton & Williams. Customers affected by breaches bring lawsuits, and shareholders file suits that blame corporate leadership for falling stock prices, she says, factors that have to be juggled by the person charged with keeping data safe.
The trouble is that many of the relevant laws use general wording that has yet to be clarified by court decisions, making the task more difficult. “The CISO is the hardest