Security professionals like to prognosticate what we need to do for better security, but we continue to see millions, and sometimes billions, of records of personal information laid bare for the world to see. From 2012 through to present day, we’ve seen a cavalcade of notices almost on a daily basis, and data breaches are nothing new for the wider population..
Twitter tries to stem the tide of breached records by removing tweets pointing to data dumps—in some cases, disabling accounts, but this is a misguided attempt to stop the sharing of such information. That’s the real difficulty with so many of these proposed security “fixes”—they don’t work. This approach seems oddly reminiscent of the Great Oz commanding that no one should look behind the curtain, or patching a leaky pipe with gauze. They have limited effects which do more to keeping up appearances and have zero long-term viability.
They are more paving stones on the road to...well, you get the idea.
Recently US Senator and presidential candidate Elizabeth Warren, waded into the fray with the Corporate Executive Accountability Act. The idea behind this proposed bill is to amend Title 18, which is US criminal code, to “establish criminal liability for negligent executive officers of major corporations, and for other purposes.”
On the surface, one would have a visceral reaction of nodding heads and thinking, "Yeah, that,” but this is a very slippery slope indeed.
The penalty phase in the legislation is the juicy part, for sure. An executive officer can be fined “in accordance with title” and/or sentenced to one year in prison for a first offense, and for a second offense or worse, can receive a fine and/or three years in prison. These punitive measures are aimed directly at companies making over a billion dollars in annual revenue.
Fighting for the underdog is the idea here, and to hold corporations accountable, but, the proposal really misses the mark. The intent is admirable, but the devil is always in the details. This will not stop data breaches. Worse, changes such as this provide for theatrics as opposed to real change.
Data breaches will continue to happen whether or not there are C-suite types being sent off to the big house.
Data breaches will continue to happen whether or not there are C-suite types being sent off to the big house. This really evokes the image in my mind of Henry the VIII shouting “Off with his head!”
The C-suite has a fiduciary responsibility to ensure that steps are taken, but they’re not the people with hands on the keyboards. Corporations regardless of size do not want to suffer a data breach. It’s counterintuitive to their mission. As opposed to incentivizing the C-suite, the prospect of jail time will simply galvanize them to build out litigious armies to counter any possible perceived transgression.
This plays directly into the fear, uncertainty and doubt approach. Albeit aimed at senior management, it will serve little purpose other than to instill fear as opposed to democratizing security.
It will, however, go a long way to combating scams against consumers. This is why there needs to be a greater level of clarity around the text of the bill.
I keep dwelling on the phrasing “for other purposes” in the proposed text. The potential for abusing this is not something to be dismissed. It’s a broad brush that has been applied. Case in point, the passage that reads “(ii) that affects the health, safety, finances, or personal data of - (I) not less than 1 percent of the population of the United States or (II) not less than 1 percent of the population of a State;”
That’s the real difficulty with so many of these proposed security “fixes”—they don’t work.
So imagine if you will that there has been a data breach where the attackers utilized a zero day against a corporation. The burden is on the organization to demonstrate that they took all the necessary steps to gird themselves against attack. Fair enough. But, this could quickly devolve into a game of political retaliation in the event that a corporation had run afoul of a particular politician or party. The checks and balances need to be clearly articulated.
On April 10th the CEO’s from multiple financial institutions such as Citigroup, JP Morgan, Bank of America and a parade of others were called to testify before Congress. While they took their grilling on pay equity and other topics they did talk about cyber security risks. The CEO of State Street, Ron O’Hanley, pointed out that cyber risk a clear and present danger. While many CEO’s will share that sentiment they need put their money where their mouths are from a security perspective less they suffer the slings and arrows of pending legislation.