Adapting to the Cyber Threat – Who Holds Liability?

Over the past year or so, even the past few months, we have seen a huge increase in high visibility hacks and cyber attacks.  Among the highest profile attacks are:

  • Target department stores suffered the theft of credit card holder data
  • the US government had a huge theft of information of government employees as well as theft of tax payer data from the IRS
  • and just recently the theft and subsequent public release of information of Ashley Madison account holders.

While cyber attacks and hacking didn’t just start occurring recently, our society, laws, and policies have yet to grow to truly keep up with prevention, mitigation, protection, response, and recovery from these incidents.  This is a familiar place we find ourselves in with other human-caused incidents such as mass shootings.  We have recently seen some insurance companies offering cybersecurity policies.  I’m not knowledgeable of the terms and conditions of these policies, but I’m hopeful policy holders are required to have cybersecurity policies and programs in place to help prevent and mitigate against the impacts of a cyber attack.  Presumably, the insurance  policy covers financial losses to the company and perhaps even litigation.  Consumers have a variety of protections available for identity theft offered through banks and credit cards.

With the recently announced class action lawsuit against Ashley Madison, I began thinking about where the real liability for a cyber attack lies.  Certainly those individuals whose personal information was stolen (moral issues aside) may suffer some measure of financial loss.  The same can be held true for those whose data was stolen from the Target and US government hacks.  Those individuals trusted and were generally assured that their personal and financial information would be protected.  These assurances place a liability on the entity that holds their information.  However, we tend to treat liability differently for disasters and acts of terrorism where entities, so long as they made reasonable and prudent efforts to avoid impacts, are held harmless; or in the event of a criminal act, we see liability shifted to the perpetrators of the criminal act.

I’m convinced that any system can eventually be hacked and suffer either data loss or data theft.  Unlike a natural disaster, intentional human-caused incidents include the factor of persistence.  Persistence is a unique element which requires constant and concerted efforts on the part of other humans to prevent, protect, and mitigate against criminal acts.  Given the law of averages and the constant need for cybersecurity experts to keep up with all tactics used by criminals, the good guys are bound to lose a battle once in a while.  While I don’t disagree that those who have their personal information stolen through no fault of their own may be deserving of financial compensation for their losses, I’m left wondering about the real liability of those entities who make reasonable and prudent efforts to protect that data.

Certainly the perpetrators, when found guilty, are at fault and hold the ultimate responsibility, but we have difficulty in identifying and persecuting these attackers.  Even if the perpetrators are found and convicted, is there still a shared liability among other parties?

Like climate change, we struggled for many years fighting the inevitable and thinking we could stop or reverse its effects.  We are finally shifting to a new philosophy of adaptation.  While we do what we can to slow the speed of climate change, many have accepted that climate change, and thus its impacts, are an inevitability.  This leads me to suggest that we need to take the same stance with all disasters, including those caused by humans.  Incidents will occur.  While we MUST do what we can to prevent, protect, and mitigate against them, we need to shift the thinking of society to response, recovery, and adaptation for when, inevitably, it does occur.

While I’m no attorney or expert in liability and litigation, it seems to be a fairly unexplored area in terms of cybersecurity.  I welcome your thoughts and ideas on this.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Most Disasters are NOT Extraordinary Occurrences – OR Crowdsourcing Volunteers

I listen to A LOT of podcasts.  While some are focused on emergency management and homeland security, most are pop culture related and have nothing at all to do with EM/HS.  At least not directly.

Listening to a recent podcast, it struck me how often the hosts mention disaster-related occurrences.  During this podcast there were several mentions of disaster related issues including the Louisiana theater shooting (which was breaking news while they were recording) and the Tom Selleck legal drama in California over stolen water (which ultimately relates back to their drought issues).  The same podcasters (one of which is in New England, the other in the National Capital Region) often comment through the year on weather-related incidents which impact them and others including winter storms, flooding, and warmer weather storm damages.

The point is that most disasters are not extraordinary occurrences.  Routine incidents aside, some measure of disaster occurs fairy regularly, certainly around the world and even just within any of our nations.  Turn on the news tonight and see for yourself.  So WHY, I ask, is there such a mentality with the general public (and maybe even with us public safety types) about disasters being out of the ordinary occurrences?  Sure they don’t happen within our own jurisdiction every day, but they happen somewhere EVERY DAY.  I’m not saying we have to be paranoid about it, but I see the COMPLACENCY getting WORSE.  We discuss preparedness often, and the aspect of getting the public better engaged in preparedness almost as much, yet we have yet to see real, meaningful success in this.

We’ve recently seen a bit of a paradigm shift in how we deal with climate change (insert groaning sound here).  For many years we tried to prevent it, as if we could.  The reality is that part of it is influenced by the actions of humanity and part of it by the natural cycle of our planet.  There are things we simply shouldn’t be doing and we still need to work on those, but we have also come to grips with the inevitability of the impacts.  We have realized that they will happen no matter what we do and we have decided that we need to ADAPT in order to survive.

Adaptation is an important realization for us (I’m now speaking in generality – not just climate change issues).  If there are things that we pound our heads against the wall over in futility, such as public engagement, maybe we are doing it all wrong?  I’m not saying that we stop trying to engage the public.  There are certainly successes we have seen, but I don’t think we are seeing the return on investment we should be.

Let’s look at society today.  People seem to have less time ability interest in volunteering or committing to efforts ahead of time.  We have to understand and acknowledge that first and foremost.  Have we turned into soulless uncaring creatures?  No, of course not.  We have just seen a shift in culture.  Trying to fight this culture is foolish.  Instead, we need to adapt.  How do we adapt?

Social media is the greatest embodiment of our need for instantaneous information and feedback.  It doesn’t take much preparation (download some apps, create accounts, find friends).  The vast majority of the information that rolls across the screen is crap, but every once in a while there is a worthwhile nugget that will garner some responses.  Sometimes (usually disasters or a new statement by Donald Trump) information that comes across garners a great deal of attention and people want to take action.  Do they know how to take meaningful action?  Often not.  But they will follow along with the good ideas of others.  (aka leaders).

Let’s broaden this concept within public engagement.  What this essentially comes down to is managing spontaneous volunteers – a concept we have seen much need for in EM for years.  I think we need to emphasize this more than ever.  We also need to update the way we think about it.  These spontaneous volunteers will not only show up at town hall, the fire house, local diner, or house of worship; they will show up online via Twitter and Facebook.  They will be locals, they will be from out of state, across the country, or across the planet.   ALL of them can be engaged.  Let’s crowdsource volunteers in emergency management.  We just need to identify how to engage them.  Identify gaps and figure out how these good natured people can fill those gaps with little no upfront investment of time or effort on their part.  Build plans that address spontaneous volunteer engagement – both in the physical aspect as well as virtual.  Train to these plans and test these plans.  Let’s stop struggling against old ways of thinking.  Improvise, adapt, and overcome.

As always, I’d love to hear your thoughts on this.

I do want to take a moment to thank my followers and readers – something I don’t do enough of.  Your support and comments are greatly appreciated.  Also, if you like my blog, spread the word.  Please feel free to forward/repost/retweet to friends, family, colleagues, and complete strangers.

©2015 – Timothy Riecker

EMERGENCY PREPAREDNESS SOLUTIONS, LLC

WWW.EPSLLC.BIZ