After a company discovers a cyber attack on its network, the finger-pointing begins. The CEO blames the chief information security officer (CISO). The CISO blames the financial officers for not setting aside enough money for cyber defenses. The chief information officer begins to look for a scapegoat further down the supply chain. Maybe they fire a low-level employee who made a mistake or point to a vulnerability within a third-party vendor’s security system. Or, if the incident took place in the cloud, is the cloud provider or the data owner at fault?

People can toss blame around, but when a cyber incident occurs, someone will be legally liable. But who is it – a single person, a department or the entire company as a single entity?

Business judgement rule and cybersecurity

After the SolarWinds cyber attack, shareholders decided to sue, claiming the company and its executives hyped corporate cybersecurity efforts although there was evidence the company leadership lacked an effective cybersecurity program. Cost-cutting measures came first, the lawsuit stated, and cybersecurity took a backseat to profits. The lawsuit targeted executives and the board of directors. It named names, with the CISO front and center.

The Business Judgement Rule often protects high-level executives and boards of directors. The Business Judgement Rule, as defined by LawShelf, is “a standard of judicial review of corporate director and officer conduct.” However, because corporations fall under state jurisdiction rather than federal, the standards of how the Business Judgement Rule is enforced are not always the same.

“The rule protects officers and directors from liability where they have made decisions in good faith and using appropriate procedures, even if those decisions turn out to be poor or unwise,” LawShelf added. Or, in other words, mistakes made by those leading the company don’t make them liable for the damage inflicted. That is likely true whether the mistake is accidental or a harmful cost-cutting measure.

The question of the Business Judgement Rule in cyber incidents came up in 2017. Shareholders sued Home Depot after its 2014 data breach. The suit questioned the competence of the company’s cybersecurity program. In particular, it noted the breach occurred after Home Depot’s leadership terminated a committee tasked with IT oversight. The judge ruled that employees regularly updated the board of directors about IT and cyber risks. Because the board made what the judge considered informed decisions regarding cybersecurity, the judge dismissed the suit.

Protecting the CISO from liability

According to a webinar from CISO Series, one organization’s employee contract set up the CISO to be the “designated felon” if the company was the victim of a cyber incident. The company designed this contract to protect the rest of the executive team from legal and financial fallout.

The CISO is the first in line for blame, termination and legal responsibility for a cyber incident within the company. The CEO may get the public shaming, but internally, it is the CISO that has the most to lose.

That’s why lawyers encourage CISOs to approach employment contracts with legal ramifications in mind. Some suggest requesting a different title. The job duties are mostly the same, but there are different assumptions when someone is part of the C-suite versus a vice president of cybersecurity, or some similar title without the suggestions of top executive involvement. It could provide a layer of job protection in the aftermath of a cyber incident. Others recommend a “golden parachute” written into the contract so if the CISO is held liable and fired, their financial future is protected.

Individual liability

Thanks to the Business Judgement Rule and other loopholes in the justice system, executives and boards of directors have largely gone unscathed in the legal aftermath of a cyber incident. The organization took the hit, but, legally, no one person or small group of people has been held liable. But now there are possible legal issues that could change that.

Uber, for example, has been the victim of cyber incidents, but legal action posed the question if Uber’s own behavior was behind a data breach. The outgoing CEO faced consequences for not properly disclosing all the details surrounding the cyber incident. Does failure to report an incident put the legal onus on the person who shirked that duty?

Cyber attacks open companies up to legal chaos. A simple mistake by a low-level employee can have a big impact. Unless the intent was malicious, the law likely won’t hold that employee liable. But whether a court can hold the leader who makes the decisions about cybersecurity strategy liable for a breach is murky. This area of law and cybersecurity continues to evolve.