Who Should Take the Blame for Data Breaches?

In October, our bi-weekly deep dives are going to focus on the topic of Accountability, Responsibility and Innovation in Cybersecurity. This week, we interviewed French Caldwell, Marketing Executive, Strategist and Industry Thought Leader at MetricStream. 

In one of our previous articles, we have already touched upon the role of international law regarding cybersecurity and why it is an incredibly complicated legal issue to deal with. We asked French Caldwell, Chief Evangelist at MetricStream.  He is a graduate of the US Naval Academy who has demonstrated his strategic and thought leadership throughout a career that started as a submariner in the nuclear navy and included serving 15 years as Vice President and Fellow at Gartner, Inc., about his insights into this problem. He emphasized that the international scope of cybersecurity extends to data protection and online privacy of it as well. “Cybersecurity is almost automatically extraterritorial. So for instance, when the state of California issued regulations about data breaches, any company that did business in California had to comply, wherever they were in the world! And this is the same with the European Union’s new General Data Protection Regulation(GDPR). It applies to anyone who has data on EU citizens, which is pretty much any company in the world.” This interstate nature of cybersecurity therefore means that a high level of cooperation is required if states really want to have equal data protection for the citizens.

With the implementation of the GDPR, replacing the European Data Protection Directive, originally created in 1995, the European Union leads the way in personal data protection. Coming into effect on 25 May 2018, the Regulation does not require national ratification and it means a step-up of personal data protection. Although appreciating it as a great step in data protection, Mr Caldwell also drew the attention to the fact that recent MetricStream Research shows that many companies are paying much more attention to personal data protection than to overall cybersecurity, thus leaving a gap in the protection of intellectual property, state secrets, critical infrastructure. GDPR – similarly to most cybersecurity regulations around the globe – nearly exclusively focuses on personal data protection while neglecting intellectual property and critical infrastructure. Mr Caldwell underlined: this division is not healthy. “It’s like we are protecting costume jewellery but we are leaving the crown jewels unsecured!” explained the expert.

Regardless of its flaws, many hail the GDPR as an important step towards a more secure cyber realm. Gadi Evron, Founder and CEO and Cymmetria, founding chairman of the Cyber Threat Intelligence Alliance and Chairman of the Board at the Israeli CERT summarized the main takeaway of the latest US CISO conference in one sentence on social media: “GDPR, here too”. Although it might be a while until the United States follow the example of the EU on this, states can lead the way on this. A good example for this is California, who has already created the first security breach notification law and led by example is also implementing stricter regulations in relation to “personal information”. Similarly, New York State Department of Financial Services’ cybersecurity regulations also a good example for state-level actions. However, regulations alone cannot protect our privacy and does not answer the question: who is responsible when a breach happens?

The EU GDPR requires the appointment of Data Protection Officers for specific organisations to ensure compliance with the regulation, however, it is questionable whether the responsibility for personal data protection should fall on one person’s shoulder. A study by Tanium and Nasdaq, entitled The Accountability Gap: Cybersecurity & Building a Culture of Responsibility concluded that “an organization cannot leave the responsibility to technical leadership anymore: everyone from the top down should be held accountable for the consequences of cybersecurity vulnerability”. In another article, entitled Cybersecurity: A Shared Responsibility, Rand Beers, U.S. Under Secretary of Homeland Security for National Protection and Programs clarified that ‘cybersecurity is a shared responsibility and each of us has a role to play. It only takes a single infected computer to potentially infect thousands and perhaps millions of others.’ Mr Caldwell was of a similar opinion and proposed that the concept of segregation of duties (SoD) might be solution step to minimize human errors. “It is similar to the idea that no one person can launch a nuclear missile” he explained. “It requires two keys” he added. “Perhaps organizations should look at two layers of human authentication for access to personal data sources, so in the event one person is hacked then that doesn’t give hackers access to all the thousands or millions of personal data records that the company has.” Companies should also assess their security continuously – as Mr Caldwell points out, training and education is nothing without testing it. “They have to be wondering– is this person trying to catch me? Embarrassment is a helpful tool.”

In this, public and private organisations can actually learn from each other a lot. According to Mr Caldwell there is a significant difference regarding the accountability in the private and the public sector. He pointed to the mismanagement of data by the Swedish government who did not reveal their mistake for two years, the just announced hack of corporate records at the U.S. Securities and Exchange Commission that went a year before being reported, and the data breach of the United States Office of Personnel Management (OPM) where information regarding the identity, Social Security numbers, names, dates and addresses of 21.5 million people were breached along with detailed security-clearance-related background information. Although Katherine Arculeta, the director of OPM resigned, no one was fired. Maybe implementing processes and tools already tested in the private sector is the way forward to ensure that this never happens again? Still this is a drop in the bucket compared to the Yahoo breach which affected more than 1 billion.

When asking Mr Caldwell about the future of responsibility and accountability, he painted a future with “much tighter regulations and penalties.” “It is also possible to imagine legislation which implements criminal penalties for inadequate cybersecurity for the leadership of companies” he added.

Károly Gergely



Comments are closed.