June 20, 2022 By Sue Poremba 3 min read

After a company discovers a cyber attack on its network, the finger-pointing begins. The CEO blames the chief information security officer (CISO). The CISO blames the financial officers for not setting aside enough money for cyber defenses. The chief information officer begins to look for a scapegoat further down the supply chain. Maybe they fire a low-level employee who made a mistake or point to a vulnerability within a third-party vendor’s security system. Or, if the incident took place in the cloud, is the cloud provider or the data owner at fault?

People can toss blame around, but when a cyber incident occurs, someone will be legally liable. But who is it – a single person, a department or the entire company as a single entity?

Business judgement rule and cybersecurity

After the SolarWinds cyber attack, shareholders decided to sue, claiming the company and its executives hyped corporate cybersecurity efforts although there was evidence the company leadership lacked an effective cybersecurity program. Cost-cutting measures came first, the lawsuit stated, and cybersecurity took a backseat to profits. The lawsuit targeted executives and the board of directors. It named names, with the CISO front and center.

The Business Judgement Rule often protects high-level executives and boards of directors. The Business Judgement Rule, as defined by LawShelf, is “a standard of judicial review of corporate director and officer conduct.” However, because corporations fall under state jurisdiction rather than federal, the standards of how the Business Judgement Rule is enforced are not always the same.

“The rule protects officers and directors from liability where they have made decisions in good faith and using appropriate procedures, even if those decisions turn out to be poor or unwise,” LawShelf added. Or, in other words, mistakes made by those leading the company don’t make them liable for the damage inflicted. That is likely true whether the mistake is accidental or a harmful cost-cutting measure.

The question of the Business Judgement Rule in cyber incidents came up in 2017. Shareholders sued Home Depot after its 2014 data breach. The suit questioned the competence of the company’s cybersecurity program. In particular, it noted the breach occurred after Home Depot’s leadership terminated a committee tasked with IT oversight. The judge ruled that employees regularly updated the board of directors about IT and cyber risks. Because the board made what the judge considered informed decisions regarding cybersecurity, the judge dismissed the suit.

Protecting the CISO from liability

According to a webinar from CISO Series, one organization’s employee contract set up the CISO to be the “designated felon” if the company was the victim of a cyber incident. The company designed this contract to protect the rest of the executive team from legal and financial fallout.

The CISO is the first in line for blame, termination and legal responsibility for a cyber incident within the company. The CEO may get the public shaming, but internally, it is the CISO that has the most to lose.

That’s why lawyers encourage CISOs to approach employment contracts with legal ramifications in mind. Some suggest requesting a different title. The job duties are mostly the same, but there are different assumptions when someone is part of the C-suite versus a vice president of cybersecurity, or some similar title without the suggestions of top executive involvement. It could provide a layer of job protection in the aftermath of a cyber incident. Others recommend a “golden parachute” written into the contract so if the CISO is held liable and fired, their financial future is protected.

Individual liability

Thanks to the Business Judgement Rule and other loopholes in the justice system, executives and boards of directors have largely gone unscathed in the legal aftermath of a cyber incident. The organization took the hit, but, legally, no one person or small group of people has been held liable. But now there are possible legal issues that could change that.

Uber, for example, has been the victim of cyber incidents, but legal action posed the question if Uber’s own behavior was behind a data breach. The outgoing CEO faced consequences for not properly disclosing all the details surrounding the cyber incident. Does failure to report an incident put the legal onus on the person who shirked that duty?

Cyber attacks open companies up to legal chaos. A simple mistake by a low-level employee can have a big impact. Unless the intent was malicious, the law likely won’t hold that employee liable. But whether a court can hold the leader who makes the decisions about cybersecurity strategy liable for a breach is murky. This area of law and cybersecurity continues to evolve.

More from Risk Management

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today