Data Breach Accountability and Responsibility: Who Gets Blamed for Data Breaches?

It seems like every other week there are headlines about another major company suffering a massive data breach, exposing the personal information of millions of users. One of the more recent examples—and arguably the most devastating—is the massive Equifax data breach.

Analysts estimate this breach exposed the sensitive data of 143 million people in the United States, including their Social Security numbers, birth dates, and addresses. Although Equifax CEO Richard Smith stepped down soon after the breach was identified, those affected are sure to feel the repercussions long after news of the incident fades.

The Equifax data breach has opened a lot of people’s eyes to the reality of how severe the impact of cyber attacks can be. This has raised important concerns for many businesses: if it happens in my organization, who exactly is to blame?

Pinpointing Security Flaws

Once a data breach is discovered, companies spend a considerable amount of money determining its source. According to the 2017 Cost of Data Breach Study, it costs U.S. organizations an average of $1.07 million in order to detect a breach.

While these post-breach activities are necessary in order to stop the bleeding, they pale in comparison to the cost of the attack itself. IBM estimates that the average cost of a data breach for companies is now $3.62 million.

A key goal when handling a data breach is learning why it occurred so that you can hopefully prevent it from happening again. Data breach accountability and responsibility isn’t always easy to determine, but when a breach occurs companies spend big money to determine the cause. Read on to find out who in an organization is most likely to blame when a data breach occurs.

Who’s to Blame for Data Breaches?

Business Managers and CEOs

When businesses don’t budget enough for IT security solutions, including big data encryption, the fault of the data breach can understandably fall on those who make the financial decisions. This can include anyone from business line managers all the way up to the CEO.

According to one survey, 29 percent of IT decision-makers believe that the CEO should have the primary responsibility if a large-scale data breach does occur. In addition, 62 percent of IT decision-makers believe that the CEO or the company’s board should be most aware of organizational policies to respond to data breaches.

In many cases, assigning blame to the CEO makes sense. CEOs are ultimately responsible for technological innovation at the company. They are often involved in determining which corporate data security partners the company selects and how to address cyber security threats.

CEOs have resigned or been replaced following several high-profile cyber attacks. For example, Target’s CEO Gregg Steinhafel resigned in 2014, after the company suffered a massive data breach that exposed 40 million credit and debit card numbers.

Chief Information Security Officers (CISOs)

If a data breach occurs even after your company has been budgeting and spending adequately on cyber attack prevention measures, the next link in the chain is the CISO or CSO. According to a 2017 survey, 21 percent of IT security professionals would hold the CISO accountable in the event of a data breach, coming in second place behind the CEO.

CISOs are often to blame when the security operations team fails to detect or respond properly to a breach. They are also accountable when the necessary data security technology is out of date or not in place. If the cause of the data breach was a security operations glitch as a result of poor systems maintenance and monitoring, it’s likely the CISO’s responsibility.

Breaches not the result of human error generally absolve the CISOs/CSOs of responsibility. For example, if someone on the IT operations team failed to perform basic maintenance, such as installing upgrades and patches, then the responsibility may fall squarely on that IT operator’s shoulders.

Data Security Operations Personnel

Personnel who manage IT security operations on a day-to-day basis are the most likely to make mistakes that result in a data breach. According to a 2014 report, 95 percent of all cyber security incidents occur as a result of human error.

In many cases, these issues are because many of those responsible for support and maintenance are simply unqualified for the job. Hiring trained and competent data security personnel to manage upgrades and patches in a timely and correct manner is critical.

Final Thoughts

Data breach prevention is the job of everyone within the organization. With so many cyber security team roles and responsibilities, it’s rare that data breach responsibility fall on one person or group. However, a few bad decisions made by one or two people can easily snowball into a devastating breach. The result is often a loss of revenue and your customers’ trust.

Of course, instead of worrying about how to avoid blame for a data breach, it’s far better to reduce the chances that an incident will occur in the first place. If you’re looking for a proven way to prevent unauthorized access to sensitive data and the hassle of a data breach, take a closer look at the high-performance encryption solutions from Zettaset. Try Zettaset XCrypt Full Disk today.