Over the last few months, we’ve been talking about
cybersecurity issues for employers. We’ve discussed the responsibilities
and risks associated with personally
identifiable information and the wave of lawsuits
resulting from data breaches. With cyberattacks
and internal data breaches topping the list of workplace fears,
cybersecurity has never been a hotter topic. More and more employers –
including the U.S.
Government have experienced such an attack. It’s time to start
thinking about who in your organization has responsibility for cybersecurity,
and who senior management and the courts will deem responsible if security
fails.
Board of Directors Responsibility. U.S.
government regulators point the finger at corporate
board members as the individuals ultimately responsible for keeping
corporate data (including personnel and consumer data) safe. As the U.S. government
recovers from one of the largest
personnel data breaches in history, it may be difficult to swallow federal
guidance, given allegations of “gross
negligence” and neglect
of the government’s own systems by members of Congress and other observers.
That said, corporate boards and individual board members have historically been
responsible, for corporate inaction or negligence if it occurs as a
result of a breach
of the Board’s fiduciary duties. Boards are taking notice of their
responsibility for cybersecurity, and cyber issues have been a top
agenda item for many corporate boards.
Executive Responsibility. According to a survey
of 200 directors at publicly traded companies, four in 10 directors believe
a CEO should “take the rap” for a data breach. To date, CEOs of
high-profile companies have not been fired following a breach, but chief
information officers and technology executives have lost their positions.
Beth
Jacob, the former Chief Information Officer at Target, resigned, and two top
technology officers at the University of Pittsburgh Medical Center left
months after the medical center’s announcement of a data breach affecting up to
62,000 employee records. To the best of our knowledge, no executives have
been held personally liable for data breaches, but like boards, they are taking
notice of the risk. Because executives play a large part in deciding
where resources are spent, many are increasing
their IT budgets and/or outsourcing IT in response to increasing
cybersecurity risks.
IT Responsibility. It’s really easy to point
the finger at an employer’s information technology department when a data
breach occurs, and as mentioned above, heads have rolled because organizations
have done just that. Certainly, the segregation of data and technological
security systems falls squarely within an IT department’s area of
expertise. As the federal Office
of Personnel Management knows, however, the amount of support
and resources given to IT by executives and the attention that all
individuals within an organization give to IT’s warnings also play a
part.
Manager Responsibility. Managers certainly
have a role to play in ensuring that their organization does not suffer a data breach.
Understanding, communicating, and enforcing security policies and practices are
often a critical part of a manager’s job. As the Astros
are learning the hard way, managers need to make sure, for example, that
employees change passwords frequently and keep their passwords private to help
protect sensitive data. Because they have day-to-day oversight of employees,
managers represent the front line of cybersecurity. While not likely to be held
personally liable for damages caused by a data breach, managers may be held
responsible by their employers for failing to do an important part of their
job, and may be subject to discipline or discharge.
Employee Responsibility. Despite protective
measures put in place by corporate boards, executives, IT, and managers, data
breaches continue to occur and accelerate, and employees are the source of the
majority of those breaches. According to industry group CompTIA, 52
percent of data breaches are the result of human error. Failure to
understand the nature and seriousness of the threat, combined with general
carelessness, results in employees’ failure to follow security policies.
Phishing scams, Trojan horses, and other social engineering tactics can cause a
single employee to be the source of a data breach. All employees need to
be trained
and vigilant about cybersecurity issues. Like managers, employees are
not likely to face legal liability for the damage caused by a security breach,
but they could well face discipline or discharge for failure to abide by their
employer’s policies.
Ultimately, cybersecurity is everyone’s
responsibility. In speaking of the recent government hack, House
of Representatives Oversight Committee Chairman Jason Chaffetz said, “OPM’s
data security posture was akin to leaving all your doors open and windows
unlocked and hoping nobody would walk in and take the information.” Employers
need to educate all employees, as well as board members and business partners,
to recognize their responsibilities and avoid risk.
Posted by Kate Bischoff
