Breaches are a personal nightmare for corporate security pros

A data compromise opens up a world of legal and regulatory troubles

Beyond the compromise of valuable information, loss of revenues and damage to brand reputation, data breaches can pose a threat to the careers of security professionals involved: witness the sudden departures of both the CEO and the CIO of Target after last year’s compromise of 40 million customers’ credit cards.

While experts say there are no laws to hold CEOs, CIOs and CISOs personally responsible for damage done when networks are hacked, boards of director can use their power to get rid of those they blame, and there’s not much security execs can do about that.

+ Also on Network World: Survey: Cybersecurity pros endorse data breach notification rules | Worst security breaches of the year 2014: Sony tops the list +

There are laws, though, that they should worry about because they affect the liability of the company as a whole for damages resulting from data loss, so these laws should be taken into consideration when designing defenses to thwart hacks, says Lisa Sotto, a New York attorney with Hunton & Williams. Customers affected by breaches bring lawsuits, and shareholders file suits that blame corporate leadership for falling stock prices, she says, factors that have to be juggled by the person charged with keeping data safe.

The trouble is that many of the relevant laws use general wording that has yet to be clarified by court decisions, making the task more difficult. “The CISO is the hardest

1 2 Page 1
Page 1 of 2
IT Salary Survey: The results are in