[BreachExchange] A breach alone means liability

Audrey McNeil audrey at riskbasedsecurity.com
Thu Oct 13 20:33:55 EDT 2016


http://www.networkworld.com/article/3128859/security/a-
breach-alone-means-liability.html

Rich Santalesa, a programmer turned writer and lawyer, brought an
interesting turn of events to my attention last week. We need to pay heed:

A litigant can have standing in a U.S. Federal breach case where no
personal fraud or identity theft has yet occurred.

Usually, a litigant has to have suffered injury—a breech caused them
identity theft or other fraudulent activity based upon information released
in a security breach.

This means if you’re cracked, you can be liable if personally identifiable
information is released, exfiltrated, absconded, whatever. It also means
that should you believe the axiom that currently most of us are hacked,
we’re in for a litigious treat.

The C guys—CIOs, CISOs and CEOs—are now potentially on the hook even if
nothing happens to stolen data. Didn’t find it on TOR or on the WeirdWebs?
No matter. Article III standing means an elevated worth to assets in your
organization. Can you use those assets to inflate your network, or are the
assets a contingent liability to your bottom line?

I’m not a CPA or a lawyer, and I can’t answer either question with any
value to you, kind reader. Instead, consider your newly minted status as
future member of some future class of litigants.

Will this improve systems security?

There arises a question: Is this a good or bad thing for people, who are
like sheep to slaughter when it comes to protecting their personal
information? For the people, it’s a great thing. It’s also good for
lawyers.

But will it make the urgency to secure systems even more prominent? Yes, at
least I certainly hope so. I’m not trying to make security products,
software vendors and consulting firms rich. Really. But they are
corporations, and they won’t be goaded into action until it hurts the
bottom line.

I wish it were possible to make the decision also transferrable to the U.S.
government, which leaks data like a sieve and no one seems to care. The
thoroughly hacked government OPM database is only the most prominent that
we’ve seen, and that the various Democratic databases were cracked like an
egg is yet another total embarrassment and reason to distrust government in
general, and party IT specifically. That IT people should fall on their
swords is, of course, out of the question—until they become personally
liable or we can post their heads on the fence at 1600 Pennsylvania Blvd.
in Washington, D.C.

I'm reminded of the sad comedy of F Troop, a bunch of misfits trying to
fight each other. CEOs, like government officials in charge of data
protection, have proven themselves to be bunglers when it comes to
security. Their care for the personal assets of others to be ostensibly
under their protection is abysmal. They don't care, and this new liability
suddenly gives nexus for a reason to really care: those people whose data
was compromised have been injured, whether there's a specific fraud or
theft associated with the data loss.

Indeed there are those who do care, do try their best, and they've been
defeated in spite of incredible diligence because zero-days, mistakes and
accidents do happen. I understand these. I've been making big mistakes in
computing for three-plus decades. But there are those who really don't
care, weren't diligent, weren't tenacious and didn't really think it was a
big deal when assets in their care were absconded. They now have a new
obstacle: Article III status as a federal litigant.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161013/d65eaa4d/attachment.html>


More information about the BreachExchange mailing list