In the United States today, the laws and regulations state that if an organization is hacked, their data becomes stolen; or if their records are exposed then the organization will face restitution, fines, and even possible class action lawsuits. The at fault organization can also face possible negligence charges. However, all of these consequences are minimal compared to the PR damage done and the job losses that, inevitably will occur.
In many cases, this is like having your wallet stolen by a criminal and the police charging you with negligence. The argument would be that you should not have been on the street in the first place so therefore, you are liable for the loss!
The liability rules hold little value if a data breach occurs in an educational, state, local, or federal organization. In fact, such organizations are often given a pass, leaving taxpayers responsible to cover the costs. I can recall many cases where the employees in charge of the data were not even let go (in contrast to what happens in public companies when resignations are demanded). One other story I know of was a case where an employee did a $2.5 Million wire transfer to an attacker as the result of a phishing attack. The employee did not follow protocols but was still not let go because of government tenure rules.
There are countless stories of this lack of accountability occurring following a government data breach. Here is a list of the top 10 largest data breaches as of 2018, from Digital Guardian. The list, being a few years old, still demonstrates the size of losses that these data breaches create.
State of Texas: 3.5 Million Affected (April 2011)
South Carolina Department of Revenue: 3.6 Million Affected (October 2012)
Tricare: 4.9 Million Affected (September 2011)
Georgia Secretary of State Office: 6.2 Million Affected (November 2015)
Office of the Texas Attorney General: 6.5 Million Affected (April 2012)
Virginia Department of Health Professions: 8.3 Million Affected (May 2009)
U.S. Office of Personnel Management (OPM): 21.5 Million (June 2015)
U.S. Department of Veteran Affairs: 26.5 Million Affected (May 2006)
National Archives and Records Administration (NARA): 76 Million Affected (October 2009)
U.S. Voter Database: 191 Million Affected (December 2015)
The source of many of these attacks, and the countless attacks on businesses, are more than often not even a criminal event. The organizations believed to be completely protected and secure; in fact this was often a creditable belief because they often met the regulations and guidance imposed on them from security experts. However, the data establishes that there was in fact holes within the systems that allowed for an attack to occur.
I am not saying that there is not occasional malicious activity by employees. But more often than not, this was the result of a malicious actor, either foreign or domestic, with the intent to steal data for financial and repetitional gains.
The laws and regulations that continue to come out only apply more pressure to organizations to provide better data protections and response efforts if such was to occur. While this guidance is often a good starting point, it is not always enforceable because of a few reasons. First, the hardware and software platforms we use to house this data often contains security flaws. Those flaws can be either an unpatched flaw or a zero-day hole that is unknown. The technology manufacturers have almost no liability for security holes that lead to a data breach event and the responsibility is back on the organization.
Secondly, with internet connections to our businesses being open to the world, we lack the ability to control the inbound traffic. This is because we do not have control over what network connections are routed to us from our internet service provider. When you connect a business to the internet you are at the mercy of these ISP’s and the traffic that they send to you. As a result, when an attack occurs you are reliant on your firewall or DDoS mitigation device until you can convince your ISP to block the connection. This allows time for the attack to start coming in from another source in another country or from multiple simultaneously. We simply cannot control where traffic coming into our network originates from.
Third, people who work in technology and cyber security don’t know what they don’t know. It is impossible for a single person or even a group of people inside an organization to know everything needed to secure data. This requires expert advice from inside and outside sources. And even when you follow this guidance from experts and technology companies, there can still be chances of a data breach.
I think it is wrong to hold organizations liable for data breaches that occur when they are doing all that they can, and even sometimes going above and beyond only to still suffer an event. When I look at the laws and regulations being imposed on businesses, I noticed that they are focused on consumer protections. And while consumer protection is important, it is also important to crack down on the criminals and foreign actors stealing the data. When you break into a network it is the equivalent to physically breaking into any business and prosecution should be faced. If you profit from stolen items, either data or property, you should be held accountable for that action and forced to repay it. It was not yours to take.
As we enter an election cycle in the United States, I want to push our current and future leaders to take a hard look at the cyber security landscape and formulate a platform that protects businesses in this country and shifts the liability. We have to stop putting all of the pressure on the employers of the country and start giving our law enforcement the tools they need to catch the criminal actors, both foreign and domestic.
We should allow hack back to those that attack us. We need to pressure the ISP’s to give us more control over the traffic hitting our networks and websites. Educational incentivizes should be provided to technology professionals to ensure that they are better equipped to secure data. Furthermore, we need to require organizations to get outside audits and penetration tests done on a regular basis by qualified testers that can give companies a roadmap to fix the holes that could cause an event. We need a place for organizations to go when they are being attacked that can help them respond to the incidents from a law enforcement perspective, like we would report any other crime.
It is time we stopped punishing the victims of crime and start defending ourselves and our organizations. We should not punish organizations for existing. We should punish negligence and malicious employees, but not the ones that do all that they should be doing, just lacking the awareness of something that they do not know.