Who is Responsible and Accountable for a Data Breach?

by Oct 19, 2020

One of the benefits of forming a corporation is that it provides a level of protection for the individuals who are making decisions regarding the operations and practices of the business or enterprise.

In many cases where corporate actions are responsible for problems that have affected the environment or consumer safety, the corporation is the entity that is held liable. Upper management, whose decisions may have led to financial and reputational penalties levied against their organization, have generally escaped without being held individually responsible for their roles.

Why Corporate Penalties May Not Be Enough

Before digital data resources became so important and in widespread use, the types of activities leading to corporate fines were related to those causing environmental damage or misinforming consumers.

The incredible profits accrued by some corporations make even large financial penalties just a by-product of doing business. The most expensive settlement reached by the U.S. Department of Justice is the more than $20 billion that was agreed to in the British Petroleum (BP) Deepwater Horizon oil spill.

While this is certainly a large amount of money, it does not approach the profits made in one year by the energy supplier.

The point is that it may be worth the gamble of a corporation facing a fine or financial settlement in the quest to drive profits. If the loss of a percentage of corporate profits is the only risk, there is little incentive for many organizations to worry about the implications of non-compliance with data privacy regulations and their associated penalties.

Some may see data breaches as an unfortunate part of doing business rather than a problem that demands an increased focus at all levels of an enterprise.

The problem is that data breaches can have far-reaching effects that impact the affected individuals for years. Paying a fine and offering free credit monitoring services has been the norm in addressing data breaches that put customers’ sensitive personal data at risk.

This recipe may need to be reviewed as the prevalence of data breaches indicates that the appropriate safeguards are not being implemented to protect data resources and more drastic measures may need to be taken.

Holding Upper Management Accountable

One of the requirements of most data privacy and security regulations is the prompt notification of the appropriate regulatory entities in the event of a data breach. Even though the breach itself may have been made due to the carelessness of a system administrator, the company’s upper management is responsible for making the notifications.

Recent events indicate that failure to perform this critical task may result in more than the loss of the offending executive’s job.

In a case that may be causing more than one CEO to lose a little sleep, the former Chief Security Officer (CSO) of Uber has been charged with two felonies related to a 2016 data breach that he failed to report.

If convicted of the crimes, Joe Sullivan can face years of jail time for his transgressions. In the aftermath of this case, executives are revisiting their exposure and responsibilities as they relate to corporate data breaches.

Chief Information Security Officers and CEOs need to establish policies that designate the reporting structure that accompanies a data breach before one occurs.

There should be no question about who makes the notification, who gets notified, and under what circumstances the communication needs to be made. They also need to see what, if any, protections the company’s indemnity insurance provides.

Holding individual executives responsible for handling data breaches is intended to force management to strengthen data privacy and security practices throughout the organization. The CISO or designated executive must make the appropriate notifications that are designed to minimize the damage caused to those affected by the data being compromised.

The harm to a company’s reputation that may accompany reporting a data breach will necessarily be overshadowed by the possible criminal penalties caused by non-disclosure. It makes it even easier for the executive team to make the correct decision regarding notification of a data breach.

Security Begins at the System Level

Large data breaches that require executives to report to regulatory agencies are often the result of small problems with data security and compliance that escape the notice of the IT department.

Eventually, these oversights result in sensitive data being compromised by malicious actors. Then it’s up to the management team to make their notifications so the affected individuals can be warned. It’s not a call that many executives look forward to making.

IDERA’s SQL Compliance Manager can help alleviate the data security and compliance issues surrounding your SQL Server environment and minimize the chances of a data breach. The tool lets you track and manage database compliance with multiple regulatory standards including HIPAA, GDPR, and PCI DSS.

Database audits keep you informed of who is accessing sensitive data and what they are doing with it. It also includes the ability to monitor and alert on suspicious activity to prevent data breaches before they happen.

Fully protecting data resources and conforming with all compliance regulations takes cooperation and teamwork throughout the IT environment. The steps taken by an organization’s DBAs can be instrumental in securing sensitive data and keeping upper management out of a spotlight they would prefer to avoid.