teissTalk: Infosec leaders' legal briefing - the liability of the CISO

On 15 December, teissTalk host Geoff White was joined by Paul Lanois, Director, Fieldfisher; and Benjamin Benhan, Privacy Counsel Global Operations, Ebay.

 

Views on news

 

Most often, it is the Chief Information Security Officer (CISO) or chief security officer (CSO) who is held responsible for a cyber-attack, because protecting the network infrastructure is their job. However, the most common sources of data breaches and other cyber incidents are situations caused by employees –  weak passwords, phishing emails and social engineering. 

 

Increasingly, CISOs have become the fall guy. Not only are they losing their jobs, but they also often face legal culpability for their organizations’ data breaches as the fiduciary duties of CISOs are getting increasingly highlighted. In fact, the duty of the CISO to report a breach to an outside agency is not in the letter of the law. In Uber’s case, where legal action has been taken against the company’s CISO, although there was no reporting to agencies, the CISO did report the breach both to the CEO and the Chief Legal Officer. Although in Uber’s case a collective top management level responsibility would be fairer, CISOs usually serve as perfect scapegoats.

 

They can be held responsible for a breach and dismissed even when the incident happened prior to their starting their role (The Marriott data breach is a good example). So, responsibility seems to be attached to the role rather than the person.

 

Therefore, it makes sense for CISOs starting a new job to be inquisitive and get up to speed with what has been happening before, as well as at the time of them filling the position.

 

How can CISOs mitigate the risks that comes with the role?

 

In the wake of the Uber case, CISOs now must consider not only the technical details of how the company is going to respond to an attack when it happens but also what they should and shouldn’t do that can be considered a crime later, such as negotiating with hackers.

 

Liability insurance will protect CISOs, but before taking it out, it must be established what data is at stake, as the scope of coverage will depend on the number of users or the scope of the jurisdiction that the CISO is responsible for. In the US, however, there is no statutory obligation for the CISO to report a breach, but the insurance must cover situations when a CISO does report a breach but wasn’t aware of its full extent at the time of reporting.

 

The key aspect to consider when judging the CISO’s actions following a breach is whether he acted in good faith and met his fiduciary responsibilities towards the company. In 2021, UCC in the US issued a fine for Pearson, a UK based publishing and education company for misleading statements and omissions about its 2018 data breach, which saw millions of student usernames and scrambled passwords and administrator login credentials stolen.

 

In many countries, however, there are public policies in place that prevent insurance to be used for paying fines, because that would negate the concept of responsibility.

 

Meanwhile, virtual CISOs – a model increasingly used by small and middle-sized companies –  are responsible for not just one but a number of different companies that they have contracts with. If Uber had had a virtual CISO at the time of the data breach, the Chief Legal Officer and the CEO might have had to go to court too.

 

The panel’s advice

 

When starting a new role, you’ll need to know whether the business has liability insurance, what will happen when the worst case scenario does occur and if you’re going to get legal and monetary support.

 

You’ll also need to discuss your reporting obligations to agencies and how you’re going to be involved in deciding what incident response strategy to follow when a breach happens.

 

The security team must communicate a lot during an incident response effort and do so in writing in order to leave a clear audit trail.

 

It’s a good idea for CISOs to get external legal help as the corporate legal department is there to protect the interests of the company.