Fresh back from Cyber Future Foundation meeting at Davos, I have had time to reflect on many issues. First and foremost, the CFF event was amazing! What a great conversation with leaders in cybersecurity, compliance, insurance, and technology. Many great conversations were had, both on stage with a series of enlightening panel discussions, and off-stage with the attending leaders.
On reflection, one of the key topics of discussion was about law and regulation impacting information systems and data, as well as the personal liability of the CISO. I have also gotten some discussion questions on my original blog on the SEC action against SolarWinds regarding the personal liability of CISO when their actions are connected to a severe data breach. So, I wanted to follow up and provide some insight (I hope) to current and future CISOs regarding the current legal liability picture.
The Challenge of Hindsight
It has been suggested that the severity of the SolarWinds breach indicates that someone did something terribly wrong. Surely such a huge impact means that a crime committed, no? Who among us has not witnessed a great injustice and thought “that ought to be illegal!”. The problem here, of course, is that there is no res ipso facto liability (criminal or civil) for data breach simply based on the relative impact of the breach. That is, the mere fact that a severe data breach occurred does not indicate that a law was broken.
Even when 20/20 hindsight shows what appear to be glaringly obvious cybersecurity deficiencies, we must ask whether those same practices – at the time – were in accordance with the generally acceptable standard of care. Were they, as the law says, “reasonable”? Unfortunately, there is not a single technical standard or checklist under the law the answers that question (yet). Instead, this is the type of question of fact that is answered by juries when cases like this are tried.
The Cybersecurity Standard of Care
So, what is reasonable? And who decides? Well, as any good lawyer will tell you… It Depends. It depends on the type and nature of the data. It depends on the state of the art of cybersecurity controls and protocols (which, as we know, are constantly changing). And it depends on jurisdiction of the data, the data subjects (for personal data), information systems, and impacted systems.
This amorphous and changing standard of care does not create an easy environment in which a CISO can thrive. It is essential that qualified legal counsel is available to the company that can advise the CISO and other C-suite executives as well as the Board of Directors on what the legal risk is to the company and to the individuals working there. Qualified legal counsel will keep up to date on these changes, learn your business and the risks unique to it, and provide advice on risk mitigation, record keeping, and external communications. I have no idea what advice SolarWinds and Mr. Brown received while they made the decisions or whether they have evidence in their favor to refute the claims of the SEC (response is not yet available). I have, however, seen clients alter their course of action or communications after engaging on risk assessments – changes that are often easier to be agreed on by all stakeholders because of the red thread of “legal risk”.
Corporate Culture and Office Politics
That red thread of “legal risk” has been historically effective at driving corporate change. Whether it is reducing incidents of sexual harassment and protected class discrimination, or improving safe working conditions, the U.S. system of driving change through legal action has been slow but effective. Cases such as the SEC v. SolarWinds and U.S. v. Sullivan are a painful part of this evolution. Will it eventually drive technology companies away from a culture of “move fast and break things” to one that is truly “security by design and default”? I do not know.
Corporate decisions regarding cybersecurity often lack transparency and communications as to why specific decisions were made. Sometimes, there is a legitimate reason for the silence, other times it is simply poor communications within the organization due to a variety of other reasons. Because Brown/SW response to the SEC complaint has not yet been filed, we do not know what risk assessments or reasons were behind the decisions that were made. I look forward to finding out what those were and whether they were made with the advice of counsel or input from stakeholders outside of the CISO organization. I would also be interested to know what the leadership expectations were regarding getting stakeholder and legal advice for such decisions. Did SolarWinds force Brown (and others) into silos? And if so, why? Was it to attempt to avoid liability at other levels? Or merely egos and protectionism so often found in poorly led companies? Regardless of the cause, the existence of such silos may not bode well for a CISO that also lacks clear corporate policy and processes for cybersecurity risk and governance.
Highly siloed organizations – particularly when driven by ego and empire building – can be incredibly deleterious for cybersecurity risks. CISOs in such organizations may feel the need to only report on success, and not gaps. They may rely on checklist security controls, paperwork-based certification audits, or other metrics that demonstrate existence but not effectiveness, and often eschew legal partnership as unnecessary given their engineering controls that their own team curated in order to pass an audit.
The Responsible CISO
Luckily, I do not see many CISOs (or other security professionals) who feel pressured for any reason to present only a world of kittens and rainbows. Most are far more likely to be painting pictures of doom, gloom, and existential risks in hopes of being able to be granted larger budgets, teams, and resources. The only time the overly rosy picture is painted is when CISOs are put in a marketing role, tasked with convincing customers that the company has adequate and appropriate security controls and practices in place. For the record, I do not recommend making the CISO wear a marketing hat.
But CISOs, like many proud employees, really do want to publicize the good work they do. Then it’s just a question of whether the company has invested in developing the right cybersecurity processes, systems, and controls to make that marketing possible given the legal risks of misleading advertising in this realm. Many times, however, this does not happen – companies market their security capabilities based on things like ISO certifications or SOC reports, without questioning whether the controls put in place to meet the certifications also meet the legal standard of care applicable to specific system, software, or information that is at risk. The appropriateness of security controls under a legal standard are not equivalent to the existence of those controls for purposes of certification compliance – which is a fact that is often lost.
That last point also goes towards the fact that security culture and overall security operations is far bigger than just the CISO. This is one the quintessential legal questions that goes to questions of the personal liability for Brown as a separate question from the responsibility and liability of the corporation. The legal doctrine of respondeat superior, which holds a party responsible for the acts of its agents, means that it is the company that is responsible for the acts of its employees unless the employees are violating corporate policies, job requirements, or laws targeted to individuals. When examining the actions of Brown, one must ask whether he was operating as expected and in accordance with the policies and processes of his employer. I noticed that the SEC never claims that Brown acted outside the scope of his authority or in violation of corporate policies. This makes me wonder what action the SEC believes should be attributed to Brown outside of his role as a corporate agent and is one of the main reasons so many CISOs are becoming concerned about their personal risk.
The responsible CISO should look carefully at company policies and processes, and work to ensure that a qualified lawyer has reviewed and informed of legal risks associated with these policies and processes. Where there is no documented policy or process, there is no evidence regarding whether the CISO is acting in accordance with corporate requirements or merely on their own. And where policy and process has not been reviewed for legal effectiveness, both the company and its security leaders remain at risk for enforcement actions. Because, amidst all the uncertainty of this case, one thing is clear: the SEC intends to hold companies and their CISOs accountable for their security decisions.
Comments