Over the past year or so, even the past few months, we have seen a huge increase in high visibility hacks and cyber attacks. Among the highest profile attacks are:
- Target department stores suffered the theft of credit card holder data
- the US government had a huge theft of information of government employees as well as theft of tax payer data from the IRS
- and just recently the theft and subsequent public release of information of Ashley Madison account holders.
While cyber attacks and hacking didn’t just start occurring recently, our society, laws, and policies have yet to grow to truly keep up with prevention, mitigation, protection, response, and recovery from these incidents. This is a familiar place we find ourselves in with other human-caused incidents such as mass shootings. We have recently seen some insurance companies offering cybersecurity policies. I’m not knowledgeable of the terms and conditions of these policies, but I’m hopeful policy holders are required to have cybersecurity policies and programs in place to help prevent and mitigate against the impacts of a cyber attack. Presumably, the insurance policy covers financial losses to the company and perhaps even litigation. Consumers have a variety of protections available for identity theft offered through banks and credit cards.
With the recently announced class action lawsuit against Ashley Madison, I began thinking about where the real liability for a cyber attack lies. Certainly those individuals whose personal information was stolen (moral issues aside) may suffer some measure of financial loss. The same can be held true for those whose data was stolen from the Target and US government hacks. Those individuals trusted and were generally assured that their personal and financial information would be protected. These assurances place a liability on the entity that holds their information. However, we tend to treat liability differently for disasters and acts of terrorism where entities, so long as they made reasonable and prudent efforts to avoid impacts, are held harmless; or in the event of a criminal act, we see liability shifted to the perpetrators of the criminal act.
I’m convinced that any system can eventually be hacked and suffer either data loss or data theft. Unlike a natural disaster, intentional human-caused incidents include the factor of persistence. Persistence is a unique element which requires constant and concerted efforts on the part of other humans to prevent, protect, and mitigate against criminal acts. Given the law of averages and the constant need for cybersecurity experts to keep up with all tactics used by criminals, the good guys are bound to lose a battle once in a while. While I don’t disagree that those who have their personal information stolen through no fault of their own may be deserving of financial compensation for their losses, I’m left wondering about the real liability of those entities who make reasonable and prudent efforts to protect that data.
Certainly the perpetrators, when found guilty, are at fault and hold the ultimate responsibility, but we have difficulty in identifying and persecuting these attackers. Even if the perpetrators are found and convicted, is there still a shared liability among other parties?
Like climate change, we struggled for many years fighting the inevitable and thinking we could stop or reverse its effects. We are finally shifting to a new philosophy of adaptation. While we do what we can to slow the speed of climate change, many have accepted that climate change, and thus its impacts, are an inevitability. This leads me to suggest that we need to take the same stance with all disasters, including those caused by humans. Incidents will occur. While we MUST do what we can to prevent, protect, and mitigate against them, we need to shift the thinking of society to response, recovery, and adaptation for when, inevitably, it does occur.
While I’m no attorney or expert in liability and litigation, it seems to be a fairly unexplored area in terms of cybersecurity. I welcome your thoughts and ideas on this.
© 2015 – Timothy Riecker
Emergency Preparedness Solutions, LLC
The Contrarian Emergency Manager 