The key to minimize personal liability for CSOs and CISOs after a data breach is to act responsibly and reasonably. The current state of the law is that those involved in an organization that is threatened or affected by a data breach are expected to react reasonably under the circumstances. To meet this standard, one should engage and follow legal advice, communicate effectively, and demonstrate a commitment to addressing the breach and preventing future incidents. By following these recommendations, CSOs, and CISOs can navigate the challenging terrain of a data breach while minimizing their own risk of personal liability.
A data breach can have significant financial, reputational, legal, and emotional implications for an organization, its personnel, clients, and a wide range of others. When a data occurs, affected persons become concerned with what may have happened and how it could negatively impact them. Not only is there a real threat to their financial well-being, but there is also a perceived disquieting attack on personal privacy. And beyond those reactions, government regulators as well as politicians often spring into action for a wide range of purposes.
For chief security officers (CSOs) and chief information security officers (CISOs), a breach presents unique challenges, including potential personal liability. While it is rare, personal liability for CSOs and CISOs is not entirely out of the question. In cases where it can be demonstrated that the CSO or CISO acted negligently or failed in their duties, they could potentially be held personally liable. This could result in financial penalties, disqualification from holding director or officer positions, and, in extreme cases, criminal charges.
As an example, Uber former CSO was sentenced to probation and ordered to pay a hefty fine. To be sure, the CSO was involved in a cover-up of a massive data breach, which included paying off the hackers in exchange for their silence and drafting non-disclosure agreements that falsely stated the hackers did not take or store any data. The CSO also withheld information about the breach from his company’s lawyers and the FTC. Although an extreme example, this result could be a harbinger of future dangers as data breaches become more common and severe.
How to navigate challenges and minimize risk
Below, we provide guidance on how to navigate challenges, minimize risk, and ensure that organizational actions comport with legal standards and best practices.
The single most important guidance that you should follow is to involve counsel promptly and frequently. Upon your first knowledge of a claimed data breach, you should promptly determine who your organization’s legal counsel is for such matters and contact those lawyers. A checklist for your initial discussions with the lawyers should include:
- Who in your organization should be advised of the claim and who, whether or not within your organization, should not.
- Whether the lawyers can and will be representing you as well as your organization and, if not, how you might go about finding counsel.
- Attorney/client privileges. Ask to be educated or refreshed on the attorney client privileges. The attorney-client privilege is a critical protection that must be preserved, whether or not legal, if legal action is taken as a result of the breach.
- Ask about a “litigation hold,” which is a directive from counsel to all involved areas of your organization instructing that document destruction not occur, even in the regular course of business practices. The decision and the scope of such instructions should come from counsel, but you and others must be aware of the concept and specifics as to how it is to be used in your situation. Simply put, your counsel will want to avoid accusations of destroying evidence.
- If you are not the CSO or CISO, identify who such officers are and ask counsel how to contact such people.
- Ask about documents to be turned over to counsel. This will likely include the materials submitted with the claim by the claimant, documentation regarding the claim that are within your organization, any policy or applicable guidelines regarding data security, and any materials already generated or gathered by you.
- Be prepared to provide counsel with a detailed description of your knowledge of the incident, along with the identification of any other organization-controlled persons who may have some involvement in what is claimed to have happened and any supporting documentation. They can guide the incident response and provide legal advice to limit both the organization and your personal liability.
- Ask counsel about anything else that comes to mind. If it raises your concerns, it is worth sharing with counsel.
Document an incident straight away
Counsel will likely ask you to document what you know about the incident and instruct you as to how to do so. While you should follow counsel’s direction, all relevant details will certainly be needed. These will include the date and time of discovery, the nature of the breach, the type of data involved, the number of individuals affected, any immediate steps taken, and anything else that will preserve the pertinent facts regarding the breach.
While the entire scope of relevant information may not yet be apparent, you should err on the side of being more inclusive. Your documentation should be prepared as close in time to the event as practical so as to preserve recollections as well as the information that may reside in people who could leave the organization for whatever reason. This documentation is critical to help guide internal and external investigations, assist in regulatory compliance, and help reduce the impact of potential legal proceedings.
CISOs should work closely with legal
It can be tempting for CSOs and CISOs to take the reins in data breach incidents, given their technical expertise or sense of personal responsibilities. However, this can lead to unintended legal complications. In the aftermath of a data breach, it’s critical to let your organization’s legal counsel guide decision-making processes. They can ensure that the response to the data breach complies with applicable laws and that both communication and remediation efforts are handled appropriately to minimize potential liability.
In addition to protecting the organization, CSOs and CISOs may want to seek personal legal advice. Although it’s rare to face personal liability or criminal charges, there can be situations where it could be a real or feared risk. Independent legal advice can provide guidance tailored to your specific situation, to identify where your interests may be different from those of your organization, to allay your concerns, all of which can be protected under attorney-client privilege.
After a data breach, effective communication is crucial. Legal counsel should guide the crafting of public statements, ensuring they are accurate, timely, and compliant with legal obligations. Remember, providing incorrect or misleading information can increase liability risks. Public information can also impact positively or negatively public concern over their personal financial and privacy risks. Consult with legal counsel before making any public statements or communicating with affected parties.
Data breaches often involve various regulatory agencies. Cooperate fully with any investigation while also protecting the interests of the organization. This cooperation should be done under the guidance of legal counsel to ensure that it does not inadvertently increase liability.
Post-incident analysis is just as important
Post-incident, it’s essential to review the causes of the breach and update security measures accordingly. This helps prevent future incidents and demonstrates a commitment to security, which can help limit liability. Legal counsel should be involved in this process to ensure any changes align with regulatory requirements.
Unfortunately, data breaches have become so common that organizations are anticipating what to do about them when and if they happen. It is prudent to implement a robust incident response plan (IRP) in place before it becomes needed. If your organization does not have one, develop one. If there is one, follow it. Following this plan can help prevent knee-jerk reactions, demonstrate good faith efforts to address the situation, and provide a solid defense if faced with legal action. This article should provide a good start to what an IRP could contain.
Anna Diaz Gessner contributed to this article.
Disclaimer: This content is intended for general informational purposes only and should not be construed as legal advice. If you require legal or professional advice, please contact an attorney.