Adapting to the Cyber Threat – Who Holds Liability?

Over the past year or so, even the past few months, we have seen a huge increase in high visibility hacks and cyber attacks.  Among the highest profile attacks are:

  • Target department stores suffered the theft of credit card holder data
  • the US government had a huge theft of information of government employees as well as theft of tax payer data from the IRS
  • and just recently the theft and subsequent public release of information of Ashley Madison account holders.

While cyber attacks and hacking didn’t just start occurring recently, our society, laws, and policies have yet to grow to truly keep up with prevention, mitigation, protection, response, and recovery from these incidents.  This is a familiar place we find ourselves in with other human-caused incidents such as mass shootings.  We have recently seen some insurance companies offering cybersecurity policies.  I’m not knowledgeable of the terms and conditions of these policies, but I’m hopeful policy holders are required to have cybersecurity policies and programs in place to help prevent and mitigate against the impacts of a cyber attack.  Presumably, the insurance  policy covers financial losses to the company and perhaps even litigation.  Consumers have a variety of protections available for identity theft offered through banks and credit cards.

With the recently announced class action lawsuit against Ashley Madison, I began thinking about where the real liability for a cyber attack lies.  Certainly those individuals whose personal information was stolen (moral issues aside) may suffer some measure of financial loss.  The same can be held true for those whose data was stolen from the Target and US government hacks.  Those individuals trusted and were generally assured that their personal and financial information would be protected.  These assurances place a liability on the entity that holds their information.  However, we tend to treat liability differently for disasters and acts of terrorism where entities, so long as they made reasonable and prudent efforts to avoid impacts, are held harmless; or in the event of a criminal act, we see liability shifted to the perpetrators of the criminal act.

I’m convinced that any system can eventually be hacked and suffer either data loss or data theft.  Unlike a natural disaster, intentional human-caused incidents include the factor of persistence.  Persistence is a unique element which requires constant and concerted efforts on the part of other humans to prevent, protect, and mitigate against criminal acts.  Given the law of averages and the constant need for cybersecurity experts to keep up with all tactics used by criminals, the good guys are bound to lose a battle once in a while.  While I don’t disagree that those who have their personal information stolen through no fault of their own may be deserving of financial compensation for their losses, I’m left wondering about the real liability of those entities who make reasonable and prudent efforts to protect that data.

Certainly the perpetrators, when found guilty, are at fault and hold the ultimate responsibility, but we have difficulty in identifying and persecuting these attackers.  Even if the perpetrators are found and convicted, is there still a shared liability among other parties?

Like climate change, we struggled for many years fighting the inevitable and thinking we could stop or reverse its effects.  We are finally shifting to a new philosophy of adaptation.  While we do what we can to slow the speed of climate change, many have accepted that climate change, and thus its impacts, are an inevitability.  This leads me to suggest that we need to take the same stance with all disasters, including those caused by humans.  Incidents will occur.  While we MUST do what we can to prevent, protect, and mitigate against them, we need to shift the thinking of society to response, recovery, and adaptation for when, inevitably, it does occur.

While I’m no attorney or expert in liability and litigation, it seems to be a fairly unexplored area in terms of cybersecurity.  I welcome your thoughts and ideas on this.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Cyber Security Video – Stop. Think. Connect

Students and faculty from Grand Valley State University created a video for the West Michigan Cyber Security Consortium and the US Department of Homeland Security’s campaign on cyber security called Tapping In – Stop. Think. Connect.  The information site for the video (including a link to the video) can be found here – Stop. Think. Connect.

It’s a clever video about the dangers of hackers, the importance of individual vigilance, and ways to maintain your own cyber security.  Overall the video is well done and the music is catchy, although I think the production is a bit long (five and a half minutes), leading to the message getting a back seat to the music.  I do like the characterization and the vignettes that drive the video and the overall message.  I’m hopeful they will edit down the piece to provide video segments a bit more palatable to our short attention spans and conducive to inclusion in advertising campaigns. 

More of this is needed.  The public at large seems to pay little attention to cyber security and the role that individuals play in it.  While data infiltrations of large corporations like Target get a great deal of media attention, hackers and phishing scams lead to data and identity theft of individuals on a daily basis. 

How do you promote cyber security in your organization or jurisdiction?  What materials and methods do you use to promote it?  Do you feel you are reaching your audience?  

© 2014 – Timothy Riecker