June 20, 2022 By Sue Poremba 3 min read

After a company discovers a cyber attack on its network, the finger-pointing begins. The CEO blames the chief information security officer (CISO). The CISO blames the financial officers for not setting aside enough money for cyber defenses. The chief information officer begins to look for a scapegoat further down the supply chain. Maybe they fire a low-level employee who made a mistake or point to a vulnerability within a third-party vendor’s security system. Or, if the incident took place in the cloud, is the cloud provider or the data owner at fault?

People can toss blame around, but when a cyber incident occurs, someone will be legally liable. But who is it – a single person, a department or the entire company as a single entity?

Business judgement rule and cybersecurity

After the SolarWinds cyber attack, shareholders decided to sue, claiming the company and its executives hyped corporate cybersecurity efforts although there was evidence the company leadership lacked an effective cybersecurity program. Cost-cutting measures came first, the lawsuit stated, and cybersecurity took a backseat to profits. The lawsuit targeted executives and the board of directors. It named names, with the CISO front and center.

The Business Judgement Rule often protects high-level executives and boards of directors. The Business Judgement Rule, as defined by LawShelf, is “a standard of judicial review of corporate director and officer conduct.” However, because corporations fall under state jurisdiction rather than federal, the standards of how the Business Judgement Rule is enforced are not always the same.

“The rule protects officers and directors from liability where they have made decisions in good faith and using appropriate procedures, even if those decisions turn out to be poor or unwise,” LawShelf added. Or, in other words, mistakes made by those leading the company don’t make them liable for the damage inflicted. That is likely true whether the mistake is accidental or a harmful cost-cutting measure.

The question of the Business Judgement Rule in cyber incidents came up in 2017. Shareholders sued Home Depot after its 2014 data breach. The suit questioned the competence of the company’s cybersecurity program. In particular, it noted the breach occurred after Home Depot’s leadership terminated a committee tasked with IT oversight. The judge ruled that employees regularly updated the board of directors about IT and cyber risks. Because the board made what the judge considered informed decisions regarding cybersecurity, the judge dismissed the suit.

Protecting the CISO from liability

According to a webinar from CISO Series, one organization’s employee contract set up the CISO to be the “designated felon” if the company was the victim of a cyber incident. The company designed this contract to protect the rest of the executive team from legal and financial fallout.

The CISO is the first in line for blame, termination and legal responsibility for a cyber incident within the company. The CEO may get the public shaming, but internally, it is the CISO that has the most to lose.

That’s why lawyers encourage CISOs to approach employment contracts with legal ramifications in mind. Some suggest requesting a different title. The job duties are mostly the same, but there are different assumptions when someone is part of the C-suite versus a vice president of cybersecurity, or some similar title without the suggestions of top executive involvement. It could provide a layer of job protection in the aftermath of a cyber incident. Others recommend a “golden parachute” written into the contract so if the CISO is held liable and fired, their financial future is protected.

Individual liability

Thanks to the Business Judgement Rule and other loopholes in the justice system, executives and boards of directors have largely gone unscathed in the legal aftermath of a cyber incident. The organization took the hit, but, legally, no one person or small group of people has been held liable. But now there are possible legal issues that could change that.

Uber, for example, has been the victim of cyber incidents, but legal action posed the question if Uber’s own behavior was behind a data breach. The outgoing CEO faced consequences for not properly disclosing all the details surrounding the cyber incident. Does failure to report an incident put the legal onus on the person who shirked that duty?

Cyber attacks open companies up to legal chaos. A simple mistake by a low-level employee can have a big impact. Unless the intent was malicious, the law likely won’t hold that employee liable. But whether a court can hold the leader who makes the decisions about cybersecurity strategy liable for a breach is murky. This area of law and cybersecurity continues to evolve.

More from Risk Management

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today