Data Breach Accountability: Who Foots the Bill for A Business Data Breach?
News stories about cybersecurity data breaches are sometimes difficult to avoid and even more difficult to digest. Data is increasingly valuable to businesses – especially data related to customers, payments and of a sensitive nature. It seems like every other week there are headlines about another major company suffering a massive data breach, exposing the personal information of millions of users.
As networks become stretched over multiple locations with multiple users, they become less secure – couple this with the notion that data stored on the cloud is becoming more valuable, and you’re creating the perfect storm for a cybersecurity breach. End users, managed service providers, even Cybersecurity experts prevent every breach, but in some cases, it’s clear the appropriate steps weren’t taken to protect data in the first place.
The cost of any breach raises the question: Who should pay when a customer’s data gets stolen or its network hacked?
The conversation gets even more intriguing when asking end users, MPSs and IT Service Providers alike, what they think and who they feel is financially liable when a data breach takes place.
Is it the organisation who owns the data?
Is it the business the organisation employed to protect the data?
At Certes, we wanted to get a clearer image of this debate, so commissioned a survey of end users and ITSPs across the UK and the US, asking them this very question.
The good thing is, almost 50% of survey respondents confirm that third party organisations are employed to deliver security policies. Interestingly, 48% of these businesses expect their IT Service Providers to cover the costs in the event of a data breach – but 73% of ITSPs consider themselves responsible for paying fines and damages, and believe they should pay 51% of the costs.
The interesting stat to lift out here is that although 73% of ITSPs think they are liable to foot the bill in this scenario (or at least 51% if this bill) whereas just 46% of customers think it’s themselves who are financially liable. The fact of the matter is, there is a big disconnect between ownership and financial accountability.
Are we all simply hoping that this won’t happen to us, that we won’t have to have this conversation?
The plot thickens however… surely relying on a contractual agreement for financial remuneration totally misses the fundamental operational risk associated with inadequately assured SD-WANs. This approach also highlights the confusion between a much wider debate; between network security and data assurance that dominates the industry, especially within high assurance markets. Companies need to take ownership of their data. Yes, an MSP or ITSP running the SD- WAN will put in place standards to secure the network infrastructure – but who is protecting the data and how?
A data owner’s level of liability depends on what safeguards it was taking to protect user data. Failing to control network access or not encrypting user data, for example, will make a data owner more liable for the damages caused by the breach. A data owner also can be held responsible for not informing affected customers soon after a breach occurs.
Despite the acknowledged risks, too many organisations are simply handing over responsibility to an IT Service Provider (ITSP) or Managed Services Provider (MSP) – and expecting the provider to pick up the financial cost should a data breach occur.
So, who IS responsible for cybersecurity breaches?
“The organisation” isn’t an exciting answer, but it is closest to the consensus of both the law and cybersecurity experts. And the cybersecurity blame game isn’t likely to yield a more useful answer…
Of course, instead of worrying about how to avoid blame for a data breach, it’s far better to reduce the chances that an incident will occur in the first place. If you’re looking for a proven way to prevent unauthorized access to sensitive data and the hassle of a data breach, take a closer look at the high-performance encryption solutions from Certes Networks.