A breach alone means liability

Usually someone must suffer injury for a company to be held liable in a security breach. Now, a breach alone is enough.

A security breach alone means liability

Rich Santalesa, a programmer turned writer and lawyer, brought an interesting turn of events to my attention last week. We need to pay heed: 

A litigant can have standing in a U.S. Federal breach case where no personal fraud or identity theft has yet occurred.

Usually, a litigant has to have suffered injury—a breech caused them identity theft or other fraudulent activity based upon information released in a security breach. 

This means if you’re cracked, you can be liable if personally identifiable information is released, exfiltrated, absconded, whatever. It also means that should you believe the axiom that currently most of us are hacked, we’re in for a litigious treat. 

The C guys—CIOs, CISOs and CEOs—are now potentially on the hook even if nothing happens to stolen data. Didn’t find it on TOR or on the WeirdWebs? No matter. Article III standing means an elevated worth to assets in your organization. Can you use those assets to inflate your network, or are the assets a contingent liability to your bottom line?

I’m not a CPA or a lawyer, and I can’t answer either question with any value to you, kind reader. Instead, consider your newly minted status as future member of some future class of litigants. 

Will this improve systems security?

There arises a question: Is this a good or bad thing for people, who are like sheep to slaughter when it comes to protecting their personal information? For the people, it’s a great thing. It’s also good for lawyers. 

But will it make the urgency to secure systems even more prominent? Yes, at least I certainly hope so. I’m not trying to make security products, software vendors and consulting firms rich. Really. But they are corporations, and they won’t be goaded into action until it hurts the bottom line. 

I wish it were possible to make the decision also transferrable to the U.S. government, which leaks data like a sieve and no one seems to care. The thoroughly hacked government OPM database is only the most prominent that we’ve seen, and that the various Democratic databases were cracked like an egg is yet another total embarrassment and reason to distrust government in general, and party IT specifically. That IT people should fall on their swords is, of course, out of the question—until they become personally liable or we can post their heads on the fence at 1600 Pennsylvania Blvd. in Washington, D.C. 

I'm reminded of the sad comedy of F Troop, a bunch of misfits trying to fight each other. CEOs, like government officials in charge of data protection, have proven themselves to be bunglers when it comes to security. Their care for the personal assets of others to be ostensibly under their protection is abysmal. They don't care, and this new liability suddenly gives nexus for a reason to really care: those people whose data was compromised have been injured, whether there's a specific fraud or theft associated with the data loss.

Indeed there are those who do care, do try their best, and they've been defeated in spite of incredible diligence because zero-days, mistakes and accidents do happen. I understand these. I've been making big mistakes in computing for three-plus decades. But there are those who really don't care, weren't diligent, weren't tenacious and didn't really think it was a big deal when assets in their care were absconded. They now have a new obstacle: Article III status as a federal litigant.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022