How well-positioned are corporations to protect consumer data? This question is on the minds of many analysts as cyberattacks become increasingly prevalent with the aid of artificial intelligence. These attempted breaches are stress-testing organizations who are tasked with safeguarding personal data, and they are also putting CISOs in uncomfortable positions. The question of legal liability has a strong influence on cybersecurity chiefs who have been tasked with implementing cyber defenses and addressing defensive vulnerabilities. This means that executives are frequently in the position of needing to worry about compliance versus cybersecurity investments.
A survey of more than 1,800 of these executives suggests that their role might be more explicitly aimed at encouraging checkbox compliance tactics. Cynically put, this means that organizations are more concerned with protecting themselves from legal regulators as opposed to black hat actors. Consider that despite the fact that companies take more than seven months to recover from security incidents, which is 25% longer than expected, half of all respondents do not believe they have the investments in place to prepare for future attacks. This means that these organizations are anticipating a future problem that, it could be argued, they have no intention of actually fixing.
However, some of the best practices regarding legal liability also apply to data breaches—and with a little more intentionality, organizations could be taking steps to address both. The best organizations will work to distinguish clearly between what is avoidable and what is unavoidable in the case of a breach. They will also define who is responsible for incidents while remembering that security is shared organization wide. But simply noting a breach, for example, only covers the liability of a company: it does not improve the protection of personal data. And although individuals cannot always hold companies liable for data breaches the way they can for faulty software, they can decide who they do business with. If you are with an organization that has sent you multiple notices in an attempt to CYA, or who has reported multiple breaches, consider whether this is an organization in whom you want to trust your personal data.