Organizations worldwide continue to struggle with responding to data breaches in a timely manner. Per IBM’s 2018 Cost of a Data Breach Study, an organization took an average of 174 days to identify an instance of human error and 57 days to contain it. The numbers were even greater for system glitches (177 days to detect and 60 days to contain) and malicious attacks (221 days to spot and 81 days to resolve).
Such long discovery times give digital attackers ample opportunity to move laterally on the network, compromise critical assets and exfiltrate sensitive data. It’s thus no wonder that many security incidents end up costing organizations as much as $157 to repair each breached record. Given that the average 2018 incident in the United States exposed 31,465 records, data breaches involving criminal attacks can easily cost U.S. organizations millions of dollars, not to mention expose thousands if not millions of consumers to identity thieves.
The Corporate Executive Accountability Act
Many of us have grown weary of the ceaseless stream of news headlines announcing data breaches. Among them is Elizabeth Warren, a U.S. Senator from Massachusetts who feels that the buck stops in the boardroom and in the CEO’s office. It’s with this viewpoint in mind that Sen. Warren crafted S. 1010: The Corporate Executive Accountability Act.
Introduced in April 2019, the Corporate Executive Accountability Act seeks to amend Part I of title 18 in United States Code with an additional chapter that pertains to executive officer negligence. This added content specifically states that executives at covered corporations could face fines and even jail time if they permit or fail to prevent a violation that affects the “health, safety, finances, or personal data” of at least one percent of the population of the United States or their state. A data breach would therefore constitute such a violation.
The purpose of this Act is to use the threat of criminal liability to compel executives into taking greater responsibility for their organizations’ digital security. But that begs the question: does the Act provide adequate compulsory power to engender such a change?
Sam Bocetta, independent journalist, doesn’t think so. He takes issue with the fact that “the top boss should pay a personal price when things go wrong inside a sprawling corporate entity.”
“Let’s transfer the scenario to a different environment, say FedEx. When a driver in Smalltown, USA blows a stop sign because he’s texting, then flattens a cat, plows through a rose garden and lands in a swimming pool in the resulting sequence of events, does [FedEx CEO] Frederick W. Smith expect to be hauled off in chains from behind his fancy desk that very afternoon? Perhaps not if he’s taken what a reasonable human being interprets to be proper precautions like maintaining the truck fleet to a good mechanical standard, screening drivers to weed out the whackos and malcontents and most importantly carrying lots of insurance for this kind of thing.”
Those reservations aside, other security professionals are more optimistic about the legislation. Digital security writer Tassos Arampatzis feels that the legislation “is certainly another positive step towards achieving a more secure corporate world and raising both the awareness and trust of end customers.” Along those same lines, digital security writer Kim Crawley feels that the threat of a penalty could compel more C-suite executives to enforce good security policy and invest in robust digital security controls.
One security control in particular…
Crawley specifically extols the importance of organizations investing in encryption:
“Encryption is obviously crucial when it comes to protecting data from cyberattacks. If better cryptographic implementation can be a means of determining that someone within an organization other than an executive is responsible for a data breach or cyberattack, that's good. If executives are motivated to improve their organization's cryptography because they'd be less likely to be blamed for problems, that's fine by me, too.”
Hywel Curtis, experienced communications consultant and content strategist, notes that using encryption can help ensure that “some of the data will still be protected and customers will be kept safe.” But not everyone feels that encryption can do enough to protect organizations in the face of a data breach. Among them is Bob Covello, A.V.P. and IT Security Director at the Navigators Group, Inc.
“Encryption will not solve anything in the case of a data breach facilitated through a phishing attack,” notes Covello. “If account credentials are harvested, then encryption is a moot point. Without other controls, such as multi-factor authentication, a person with a valid password is a trusted insider, with access to the decryption keys of the data of whomever is being impersonated.”
Ian Thornton-Trump, security head at AMTrust Europe, takes an even more critical stance against encryption in the context of the Corporate Executive Accountability Act. He feels encryption would not help organizations save their executives the blame for a successful data breach. He also believes that Sen. Warren’s proposal would die in Congress or in the courts unless the U.S. government finally agreed to enact a federal privacy law.
A way forward
It’s unclear whether the Corporate Executive Accountability Act will ever see the light of day as law. But perhaps it doesn’t need to. From the entry-level analyst to the CISO, corporate information security departments can and should take the lead in calling for greater executive involvement and investment in data breach prevention. Part of this effort should consist of implementing basic security controls like encryption and defending all machine identities against misuse. Learn how Venafi can help in that regard.