Beyond a Nuisance: Data Breaches Threaten C-level Jobs Boards of Directors, and Corporate Coffers
When it comes to data breaches and the professional longevity of CEOs and boards of directors, one can't help but say: “How times have changed!”
Compare the reaction to almost any recent headline-grabbing data breach—Anthem, Ashley Madison, Sony, Wyndham Resorts—to the reaction that greeted Heart Payment Systems in 2009.
In January of 2009, Heartland disclosed that a SQL injection attack on their data systems had enabled criminals to steal information from about 134 million credit cards. The attack remains one of the largest data breaches in history. And Heartland paid a price, once the news of the data breach broke. They lost hundreds of customers, and within a few months their share price dropped 77.6 percent.
But the CEO kept his job. In fact, CEO Robert (Bob) Carr went on to be praised for his openness about the breach and the efforts he spearheaded to make Heartland’s IT systems more secure. He even participated in security best-practice discussions, including one hosted by the Federal Reserve Board. Heartland’s board of directors kept their jobs, too. In the years since the breach, the company’s stock price has doubled.
But six years later, we live in a different age. Today, shareholders, the press, the public, and federal regulators have little patience for CEOs and boards of directors who preside over organizations that suffer data breaches, especially if those breaches expose personally identifiable information (PII) of employees or customers.
• Home Depot is facing 44 lawsuits resulting from its data breach in 2013.
• Sony Pictures’ CEO Amy Pascal was fired in early 2015, just a few months after the Sony data breach, which exposed the personal information of employees and several inflammatory emails among Sony executives.
• When the U.S. Office of Personnel Management was breached in June 2015, its director, Katherine Archeluta, eventually resigned under pressure. The OPM and its private contractor Key Point Government Solutions now face at least seven class action lawsuits filed on behalf of federal employees.
• After the breach of the Ashley Madison site in August 2015, Noel Biderman, the CEO of the site’s parent company Avid Life Media who had dubbed himself the King of Infidelity, accepted the infelicity of his situation and tendered his resignation.
• The Third Circuit Court of Appeals in September 2015 upheld a ruling that the FTC has the right to sue companies whose poor IT security practices resulted in “unfair or deceptive acts or practices in or affecting commerce.” The FTC had previously filed a lawsuit in 2012 against Wyndham Resorts relating to their three data breaches between 2008 and 2009 that exposed credit card information belonging to 619,000 people.
As data breaches can lead to resignations, firings, and lawsuits, it has now become obvious that data breaches are a board-level issue. They can erode trust in fabled brands. And they can earn the enmity of previously loyal customers and business partners.
Gone are the days when executive teams and boards of directors could delegate responsibility for data security to the IT department. Now, data security is a board-level objective.
So how should boards of directors approach this new, urgent, and challenging mandate?
Your Mission: Optimize Security
To develop a board-level strategy, it’s helpful to recognize what’s similar and what’s different about the breaches making headlines today. Insiders are suspected of having contributed to the Ashley Madison and Sony breaches. Attacks involving Point-of-Sale (POS) credit-card systems often take advantage of companies failing to segment their networks; that is, their networks connect too many disparate IT services, enabling a hacked HVAC system in the case of the Target breach, for example, to access credit card data in POS systems. In the case of many hacks, including the Anthem, Ashley Madison, and OPM breaches, PII that was supposed to be encrypted, was not.
Of course, to secure systems, it’s helpful to know how many you have. The OPM lacked a comprehensive catalog of its IT systems, and an automated solution for scanning the systems for exposed vulnerabilities.
It’s tempting to blame some of these vulnerabilities on the cloud. In fact, some recent breaches, such as the Apple iCloud breach which exposed private photos of celebrities, were cloud data breaches. And certainly some popular cloud services such as Drop box have gotten black eyes for security outages of one type or another.
"Gone are the days when executive teams and boards of directors could delegate responsibility for data security to the IT department"
But a well-run cloud service, especially a private cloud or hybrid cloud, can actually improve IT security.
Here are some suggestions for improving the data security of IT infrastructure, wherever it is hosted:
• Choose IT systems that encrypt confidential data both in transit and at rest. Wherever confidential content is used—even on your employees’ mobile devices—confidential information should be encrypted.
• Evaluate the strength of the encryption being used. Ensure that it complies with rigorous standards, such as FIPS 140-2 for federal agencies. Part of the problem at Ashley Madison was that programmers were taking shortcuts in encrypting data. As a result, data that should have been difficult to unencrypt turned out to be surprisingly easy to crack.
• Ensure that your own IT organization, not a third party provider, maintains control of encryption keys. Encryption keys provide the unique mathematical sequence used for encrypting and decrypting data and allowing third parties to manage encryption keys creates new vulnerabilities.
• Enforce rule-based access controls for all confidential data. Access to confidential data should be granted only on a “need to know” basis.
• Support two-factor authentication for critical systems, and make sure your systems can automatically shut down brute force login attempts that submit thousands of passwords to guess their way into accounts. The iCloud breach resulted from hackers running a password-generation script to crack iCloud account logins.
• Track the distribution and sharing of confidential data. Even if your organization is working with contractors and other outsiders, your IT staff should be able to monitor and control the flow of PII and other sensitive content. Think of your data ecosystem as all the business users, inside and outside your organization, who need to access content; then make sure you can monitor the flow of content throughout that ecosystem.
• Consider deploying private clouds managed by your own IT team, to deliver the same economic benefits and scalability of public cloud services while giving your internal organization full control over data and services. If additional IT resources are needed, you can transform your private cloud into a hybrid cloud that complements the private cloud with trusted public cloud resources as needed.
• Segment your networks, so that a breach in one area of your network does not give attackers access to your entire network.
• Educate users about the risks of phishing attacks and other stealthy attempts to gain their credentials. The OPM attack, among others, is thought to have begun with a phishing attack.
Data breaches are likely to continue, and regulatory penalties and civil actions are likely to continue following in their wake. By taking a proactive approach to IT security—an approach based on best practices and continual oversight—executive teams and boards of directors can fulfill their fiduciary responsibility for protecting their organization’s data, reputation, and financial standing. In doing so, they can ensure their organization’s longevity and viability – every CEO, Chairman and Board member’s responsibility.