Who's Ultimately Responsible for Data Breaches? It Might be You


This morning, I received what has become a familiar email — a company that has my personal and financial information has suffered a data breach.

Today, it was Spotify, an online music streaming service with about 40 million active users, which announced the information of one user had been improperly accessed and warned all Android users to change their passwords. Last week, eBay sent a similar notice to as many as 145 million users, informing us a cyberattack may have compromised our login information and other non-financial data. And last fall, Target sent me several emails and letters apologizing for a massive data breach that exposed the credit and debit card information of 40 million of us.

The eBay and Target breaches have both sparked public ire as well as caught the attention of regulatory bodies. The U.S. Federal Trade Commission along with several states' attorneys general are investigating eBay, and the Target breach was investigated by the U.S. Department of Justice, Congress, the Secret Service and others.

For Target, the breach also led to executive upheaval. CIO Beth Jacob resigned in March, essentially taking the fall for the breach, reported The Wall Street Journal. However, with continued legal scrutiny, falling share prices and no rebound in consumer confidence in the retailer, CEO Gregg Steinhafel stepped down earlier this month, ending his 35-year career with Target, reported USATODAY. Other Target leaders are now in the crosshairs — this week the Institutional Shareholder Services, which provides advisory services to large shareholders on how to vote on corporate issues, urged Target's shareholders to vote out seven of the 10 members of the company's board directors, alleging they did not take adequate steps to prevent the breach, according to The Wall Street Journal.

The executive fallout from the Target breach shows the increasing importance of data security to all organizations — and that CEOs are ultimately responsible for ensuring consumers' information is protected.

A new report from security rankings provider BitSight Technologies shows healthcare CEOs in particular have reason to be concerned about cybersecurity. Of the four industries studied — finance, utilities, retail and healthcare and pharmaceuticals — the healthcare and pharmaceutical industry both experienced the largest number of data breaches in the past year and had the longest average response times to security incidents.

"In our recent assessment of medical devices used in clinics and hospitals around the country, weak encryption, lack of key management, poor authentication and authorization protocols and insecure communications were all common findings," said Chandu Ketkar, technical manger of security firm Cigital, in a statement regarding the report. "These gaps in security can lead to a compromise in data confidentiality and integrity. When sensitive data is compromised, it can not only create risks for patients, but also expose healthcare providers and device manufacturers to regulatory and business risks."

For healthcare providers, these regulatory and business risks include HIPAA fines, like the record-setting $4.8 million paid by NewYork-Presbyterian and Columbia University following a breach, and lawsuits, like the one currently being faced by Downers Grove, Ill.-based Advocate Health Care after burglars stole four computers containing 4 million patients' information last year — repercussions that affect the entire organization, not just the CIO or IT department.

As the aftermath of the Target breach suggests, these regulatory and business risks will ultimately be the responsibility of the CEO and possibly board members as well. Therefore, CEOs and other leaders "cannot afford to not know what's going on" when it comes to cybersecurity, Craig Carpenter, chief cybersecurity strategist of AccessData Group, told The Wall Street Journal.CEOs and other leaders should engage, now, with data security and do what is necessary to ensure the protection of consumer data, as if their jobs depend on it.

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Subscribe to Our RSS Newsletter

Your Email:  

Featured Whitepapers

Featured Webinars