By Deryck Mitchelson, EMEA Field Chief Information Security Officer, Check Point Software Technologies.
Nearly everyone trusts Google to keep information secure. You trust Google with your email. I use Google for my personal email. Yet, for three years – from 2015 to 2018 – a single vulnerability in the Google Plus platform resulted in the third-party exposure of millions of pieces of consumer data.
Google paid a settlement of $350M in a corresponding shareholder lawsuit, but most organizations cannot afford millions in settlements. For most organizations, this level of expenditure due to a breach is unthinkable. And even for larger organizations with financial means, constant cycles of breach-related lawsuits are unsustainable.
Yet, across the next few years, especially as organizations continue to place data into the cloud, organizations are likely to see a significant uptick in post-breach litigation, including litigation against CISOs, unless they adopt stronger cyber security protocols.
Litigation looms large
Organizations that have experienced data breaches are battling a disturbing number of lawsuits. In particular, privacy-related class actions against healthcare providers are taking off.
Globally, there were 2X the number of data breach victims in 2023 as compared to 2022.
In 2023 alone, breach related class actions and government enforcement suits resulted in over $50 billion in settlement expenditures. |
The Irish Health Service Executive, HSE, was severely impacted by a large cyber attack in 2021 with 80% of its IT services encrypted and 700 GB of unencrypted data exfiltrated, including protected health information. The HSE subsequently wrote to 90,936 affected individuals. It has been reported that the HSE is facing 473 data-protection lawsuits, and this number is expected to continue rising.
I recently spoke with a lawyer who specializes in data breach litigation. Anecdotally, she mentioned that breach-related lawsuits have gpostn by around 10X in the last year. This is becoming the new normal after a breach.
While organizations do win some of these lawsuits, courts have become increasingly sympathetic to plaintiffs, as data breaches can result in human suffering and hardship in the forms of psychological distress, identity theft, financial fraud and extortion. They can also result in loss of human life, but more about that later.
In courts of justice, an organization can no longer plead ‘we made an error or were unaware’, assuming that such a line will suffice. The World Economic Forum has found that 95% of cyber security threats can, in some capacity, be traced to human error. These cases are not complex. But the level of litigation shows that businesses are still making avoidable missteps.
To that effect, businesses need to not only start thinking about data protection differently, but also need to start operating differently.
Personal (and criminal) liability for CISOs
CISOs can be held personally liable, should they be found to have failed in adequately safeguarding systems and data that should be protected. At the moment, we’re not seeing much in the way of criminal liability for CISOs. However, if CISOs appear to have obfuscated the timeline of events, or if there isn’t full transparency with boards on levels of cyber risk, courts will indeed pursue a detailed investigation of a CISO’s actions.
The patch that would have fixed a “known critical vulnerability” should have been applied immediately. If the organization hadn’t delayed, would it still have been breached?
Therefore, it is in CISOs’ best interest to record everything – every interaction, every time that they meet with the board, and every time that they’re writing a document (who said what information, what the feedback was, who has read it, what the asks are), as a proactive breach preparedness measure.
If a CISO ends up in litigation, he or she needs to be able to say ‘this risk was fully understood by the board’. CISOs will not be able to argue “well, the board didn’t understand the level of risk” or “this was too complex to convey to the board”, it is the CISOs job to ensure cyber risk is fully understood.
We’re starting to see a trend where CISOs are leaving organizations on the back of large breaches, which may mean that they knew their charter, but failed to take full responsibility and accountability for the organization’s entire cyber security program.
The consumer perspective
As a consumer, I would expect CISOs to know what their job is – to understand the attack surface and to map out where they have weaknesses and vulnerabilities. And to have a program in-place in order to mitigate against as much.
But even if CISOs have a program in place to mitigate breaches, consumers can still come after them for a class action. Consumers can still argue that cyber security staff should have and could have moved faster. That they should have attempted to obtain additional investment funding from the board in order to remediate problems efficiently or to increase their operational capacity and capability to prevent the data breach.
The challenge that CISOs have got is that they’re trying to balance funding acquisition, the pace of change, innovation, and competitive advantage against actually ensuring that all security endeavors are done correctly.
A current case-study in liability
In Scottland, the National Health System of Dumfries and Gallloway recently experienced a serious data breach. The attack led to the exposure of a huge volume of Personally Identifiable Information (PII). Reports indicate that three TB of sensitive data may be been stolen. As means of proof, the cyber criminals sent screenshots of stolen medical records to the healthcare service.
As expected, a ransom demand was not paid. The criminals have now leaked a large volume of data online. Having previously worked in NHS Scotland, I find such criminal activity, targeting sensitive healthcare information, deplorable. Will we now, similar to HSE, see already constrained taxpayers’ money being used to defend lawsuits?
Liability leverage with proper tooling
CISOs cannot simply put in tooling if it can’t stand up to scrutiny. If CISOs are looking at tooling, but less-so at the effectiveness/efficacy of that tooling, then they should recognize that the probability of facing litigation is, arguably, fairly high. Just because tooling functions doesn’t mean that it’s fit for purpose.
In regards to tooling, CISOs should ask themselves ‘is this tool doing what it was advertised as capable of?’ ‘Is this delivering the right level of preventative security for the organization?’
Boards should also demand a certain level of security. They should be asking of CISOs, ‘Is the efficacy of what you’ve implemented delivering at the expected level, or is it not?' and 'Would our security have prevented a similar attack?' We don’t see enough senior conversation around that. A lot of organizations fail to think in terms of, ‘We’ve got a solution in-place, but is it actually performing?’
CISOs need to approach data the same way that banks approach financial value. Banks place the absolute best safeguards around bank accounts, investments, stocks and money. CISOs need to do the same with all data.
Third-party risk
One of the areas in which I often see organizations struggle is supply chain and third-party risk. As you’ll recall, in August of 2023, over 2,600 organizations that deployed the MOVEit app contended with a data breach.
What lessons around due diligence can be learned here? What more could organizations have done? Certainly, CISOs shouldn’t just be giving information to third parties to process. CISOs need to be sure that data is being safeguarded to the right levels. If it’s not, organizational leaders should hold CISOs accountable.
If the third party hasn’t done full risk assessments, completed adequate due diligence and understood the information that they’ve got, then consider severing the business connection or stipulate that in order to do business, certain security requirements must be met.
The best litigation defense
In my view, the best means of avoiding litigation consists of improving preventative security by leveraging a unified platform that offers end-to-end visibility across your entire security estate. Select a platform with integrated AI capabilities, as these will help prevent and detect a breach that may be in-progress.
If an organization can demonstrate that they have deployed a security platform that adheres to industry best practices, that’s something that would enable an organization to effectively demonstrate compliance, even in the event of a data breach.
With cyber security systems that leverage AI-based mitigation, remediation and automation, the chances of a class-action will be massively reduced, as the organization will have taken significant and meaningful steps to mitigate the potentiality of a breach.
Reduce your organization’s breach probability, and moreover, limit the potential for lawsuits, criminal charges against your CISO and overwhelming legal expenditures. For more information about top-tier unified cyber security platforms, click here.