After a company discovers a cyber attack on its network, the finger-pointing begins. The CEO blames the chief information security officer (CISO). The CISO blames the financial officers for not setting aside enough money for cyber defenses. The chief information officer begins to look for a scapegoat further down the supply chain. Maybe they fire a low-level employee who made a mistake or point to a vulnerability within a third-party vendor’s security system. Or, if the incident took place in the cloud, is the cloud provider or the data owner at fault?

People can toss blame around, but when a cyber incident occurs, someone will be legally liable. But who is it – a single person, a department or the entire company as a single entity?

Business Judgement Rule and Cybersecurity

After the SolarWinds cyber attack, shareholders decided to sue, claiming the company and its executives hyped corporate cybersecurity efforts although there was evidence the company leadership lacked an effective cybersecurity program. Cost-cutting measures came first, the lawsuit stated, and cybersecurity took a backseat to profits. The lawsuit targeted executives and the board of directors. It named names, with the CISO front and center. 

The Business Judgement Rule often protects high-level executives and boards of directors. The Business Judgement Rule, as defined by LawShelf, is “a standard of judicial review of corporate director and officer conduct.” However, because corporations fall under state jurisdiction rather than federal, the standards of how the Business Judgement Rule is enforced are not always the same.

“The rule protects officers and directors from liability where they have made decisions in good faith and using appropriate procedures, even if those decisions turn out to be poor or unwise,” LawShelf added. Or, in other words, mistakes made by those leading the company don’t make them liable for the damage inflicted. That is likely true whether the mistake is accidental or a harmful cost-cutting measure.

The question of the Business Judgement Rule in cyber incidents came up in 2017. Shareholders sued Home Depot after its 2014 data breach. The suit questioned the competence of the company’s cybersecurity program. In particular, it noted the breach occurred after Home Depot’s leadership terminated a committee tasked with IT oversight. The judge ruled that employees regularly updated the board of directors about IT and cyber risks. Because the board made what the judge considered informed decisions regarding cybersecurity, the judge dismissed the suit. 

Protecting the CISO From Liability

According to a webinar from CISO Series, one organization’s employee contract set up the CISO to be the “designated felon” if the company was the victim of a cyber incident. The company designed this contract to protect the rest of the executive team from legal and financial fallout. 

The CISO is the first in line for blame, termination and legal responsibility for a cyber incident within the company. The CEO may get the public shaming, but internally, it is the CISO that has the most to lose. 

That’s why lawyers encourage CISOs to approach employment contracts with legal ramifications in mind. Some suggest requesting a different title. The job duties are mostly the same, but there are different assumptions when someone is part of the C-suite versus a vice president of cybersecurity, or some similar title without the suggestions of top executive involvement. It could provide a layer of job protection in the aftermath of a cyber incident. Others recommend a “golden parachute” written into the contract so if the CISO is held liable and fired, their financial future is protected.

Individual Liability

Thanks to the Business Judgement Rule and other loopholes in the justice system, executives and boards of directors have largely gone unscathed in the legal aftermath of a cyber incident. The organization took the hit, but, legally, no one person or small group of people has been held liable. But now there are possible legal issues that could change that. 

Uber, for example, has been the victim of cyber incidents, but legal action posed the question if Uber’s own behavior was behind a data breach. The outgoing CEO faced consequences for not properly disclosing all the details surrounding the cyber incident. Does failure to report an incident put the legal onus on the person who shirked that duty?

Cyber attacks open companies up to legal chaos. A simple mistake by a low-level employee can have a big impact. Unless the intent was malicious, the law likely won’t hold that employee liable. But whether a court can hold the leader who makes the decisions about cybersecurity strategy liable for a breach is murky. This area of law and cybersecurity continues to evolve.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…