Presidential Candidate Sen. Elizabeth Warren Wants to Hold Execs Criminally Liable for Data Breaches - Should You Be Worried?
Presidential Candidate Sen. Elizabeth Warren Wants to Hold Execs Criminally Liable for Data Breaches - Should You Be Worried?
Senator Elizabeth Warren, the Massachusetts Democrat who’s long been the bete noire of “too-big-to-fail” financial institutions, is out with proposed legislation that would for the first time expose corporate executives to criminal liability for data breaches resulting from negligent digital security practices.
Senator Warren, it should be noted, is a declared candidate for U.S. President, so it’s all but certain that she’ll tout this proposal on the campaign trail between now and next year. Even if she’s not the Democratic Party’s nominee, there’s a decent chance whoever does best the crowded field will pick up the mantle.
As written, Warren’s legislation threatens “fine[s] in accordance with this title,” imprisonment for up to one year, or both, for an “executive officer of a covered corporation to negligently permit or fail to prevent” data breaches as defined in the text of the bill.
It’s an expansive proposal that’s likely to keep execs up at night. And it begs the question: are you doing enough to reduce your exposure to digital threats and limit your liability in any civil or criminal actions arising out of data breaches that occur on your watch?
What Can You Do to Reduce Your Liability?Let’s be clear: Senator Warren’s proposal is just that — a proposal. In a Republican-controlled Senate, odds are against its passage anytime soon.
On the other hand, political reality can and does change, even in a Washington beset by what appears to be perennial partisan gridlock. There’s no good reason to bet against some form of Senator Warren’s proposal becoming law sooner or later. In the meantime, why not take some commonsense steps to reduce your exposure to digital threats? Here’s what you can do now, while you’re waiting for Washington to act (or not).
1. Invest in a First-Rate Cloud Backup ArchitectureFirst things first: you need to invest in a top-notch cloud backup system that provides thorough redundancy in the event of data loss or access interruption.
Remember, data breaches that result in the overt theft of sensitive information aren’t the only digital threats your company faces today. Malware attacks, about which we’ll learn more below, could cripple your ability to operate without comprehensive backup solutions in place — even if your data never falls into the hands of malicious third parties.
Backup is important for a host of other reasons, too. Natural disasters, power outages, security incidents — all may interrupt access to mission-critical data. To borrow another turn of phrase from the political realm: Without a Plan B, you’ve unilaterally disarmed.
2. Practice Good Password HygieneStop what you’re doing and read this primer on creating a strong password.
It’s 2019. There’s simply no excuse for “password1” or “[yourname]!” anymore — if your accounts even allow such shoddy passwords.
What makes for good password hygiene? Briefly:
These aren’t the only password hygiene best practices, but they’re a worthwhile start. What are you waiting for?
3. Use Two-Factor Authentication for All Internal AccountsTwo-factor authentication, or 2FA, is the simplest type of multi-factor authentication. As the name implies, 2FA requires two distinct authentication factors, most often a password plus a randomly generated, single-use passcode (when you log into your bank, for instance, you’re probably prompted to enter the passcode sent to your phone or email immediately after entering your password) or security question.
Anyone can steal a password before you realize it’s gone. 2FA ensures that, unless the attacker has also stolen or compromised the device on which you receive the second factor, said password is only part of the access equation.
4. Rely on Non-Password Permissions for Sensitive ApplicationsWe’ve already explored the deficiencies of traditional passwords. Even 2FA is not infallible. For truly sensitive applications and functions, additional layers of security are not only necessary — they may be non-negotiable in a potential future reality in which decision-makers are held criminally liable for actions or inactions construed as negligent.
Biometric factors are increasingly popular in sensitive settings, particularly those requiring physical access. If your organization houses servers on site, for instance, you’ll almost certainly require a numeric combination or keycard to access; why not add an additional layer of protection with a fingerprint or retinal scan?
5. Distribute Your Data (Securely)Speaking of servers: don’t rely on a single facility, however secure, to serve as the sole node for your digital footprint. It’s simply not wise to expose yourself to the very real possibility of prolonged disruption.
Instead, distribute your data securely across a broad, geographically distributed footprint. Cloud backup and data recovery solutions are part of this architecture, of course. When your data is stored well away from your headquarters or principal data center, any adverse events that affect that facility are unlikely to be present (at the same time, at least) across your entire distributed network.
6. Require Uniform Security Standards Across Your Entire BYOD FootprintYou’ve almost certainly embraced the "Bring Your Own Device" (BYOD) revolution. How are you feeling about that decision?
“Nervous” is an acceptable answer here. In fact, you’d be remiss — and, not to put too fine a point on it, probably well within Senator Warren’s definition of “negligent” — not to countenance the myriad ways its BYOD permissiveness could come back to haunt your organization.
Rather than put your trust in fate, take matters into your own hands with a comprehensive set of uniform security standards governing your entire BYOD footprint. Whether you want to go even farther and require your employees to procure certain device models or operating systems is up to you; doing so would certainly simplify your security posture.
7. Use Virtual Private Networks to Encrypt TrafficOne measure you’re well within your rights to require of BYOD users is the regular use of an organization-approved virtual private network to encrypt traffic. Adding a VPN is a cost-effective solution to a host of threats, including corporate espionage and man-in-the-middle malware attacks; just be sure to use a legitimate program that doesn’t itself function as grayware. And don’t assume that your VPN is a panacea; malware installed directly on your system can still wreak havoc, with or without outgoing encryption.
8. Use Encrypted Communication Tools for Ultra-Sensitive CommunicationsYour organization surely has proprietary plans that you really don’t want to fall into the wrong hands — competitive or otherwise. When your employees communicate about these matters, make sure they’re doing so through channels that aren’t vulnerable to compromise. This list of the top encrypted messaging apps is a good start. Just be sure to thoroughly investigate potential weaknesses and drawbacks that may not be readily apparent from their marketing copy, and be aware that app makers are locked in constant battle with sophisticated enemies aiming to crack their encryption.
9. Maintain Secure Data Archives Well Beyond What’s Required by LawOne school of thought around data hygiene goes something like this: “the bigger the data archive, the greater the risk.”
Seductive as it sounds, this isn’t an accurate summation of the situation. The benefits of a thorough data archive — far beyond what’s required by law or regulation — far outweigh the risks of a breach. Indeed, your data archive may well help mitigate the impact of a breach that results in data loss or corruption.
The important thing, of course, is ensuring that your secure data archives are just that — secure — in perpetuity. That’s where a first-rate data recovery partner comes in.
10. Have a Comprehensive Crisis Response Plan (Including a Public Relations Plan)It’s best to assume that your organization’s risk of a serious data breach is a matter of if, not when. Better to be prepared for the most likely outcome — a breach at some point — than to cross your fingers and hope that day never comes.
Position yourself accordingly and develop a comprehensive crisis response plan that includes:
Once the dust settles, you’ll want your crisis response plan to include a forward-looking component as well — namely, a plan to reduce the likelihood that something similar happens again.
11. Always Watch the WatchersIf you’re not familiar with the Panopticon, brush up. It’s the best analogy, creepy though it might seem, for a truly effective internal digital security apparatus.
In short: digital security professionals inside and outside your organization must always operate under the assumption that they’re being watched or tracked. This applies to the lowliest data entry grunt and your CISO alike. On the matter of digital surveillance, at least, no one in your organization is above the law. After all, the surest way to prevent stakeholders from acting negligently is to ensure that none feel as if they have leeway to do so.
12. Make Your Data Unusable (or Difficult to Use, at Least)Recent news is littered with examples of otherwise competent organizations storing extremely sensitive data in plain sight — say, credit card numbers in unencrypted files that any attacker could download off a compromised system, to voter identification information stored on non-password-protected spreadsheets.
Don’t laugh. A thorough data security audit of your own organization could well reveal embarrassing vulnerabilities that, if exploited, could prove devastating to your operations and reputation. Better to shore them up now — for instance, by separating records into component parts to be stored separately — than deal with the aftermath later.
13. Be Ready to Quantify What’s Been Lost, If AnythingHave a scalable system in place to quantify the impact of a data breach or compromise now before the incident occurs. You’ll need this information, at minimum, to comply with any investigations by external digital security partners and/or law enforcement authorities. If customer or employee records are compromised, you’ll need to be prepared to inform the affected parties as well.
14. Hold All Employees Accountable for Data HygieneThe best way to do this is to create a comprehensive set of data security procedures, update it regularly, and require all employees to affirmatively agree to follow it to the letter (ditto for new hires, too). A chain is only as good as its weakest link, and links are far more likely to fray when they’re not held accountable.
15. Always Be PatchingLast, but not least: don’t dally on software patches. Patching known vulnerabilities removes low-hanging fruit for opportunistic hackers to exploit. That it won’t deter more sophisticated threats shouldn’t stop you — every layer of protection has its place, after all.
Are You Doing Enough to Protect Your Digital Assets?It’s entirely possible, even likely, that Senator Warren’s proposal to hold negligent corporate executives liable for data breaches that happen on their watch won’t go anywhere in the U.S. Senate. The chamber is controlled by business-friendly Republicans through at least January 2021, and its members are famously reticent to court controversy during Presidential election years — the next of which is fast approaching.
Even if political reality grants America’s corporate executives a temporary reprieve, it’s fair to bet that Senator Warren’s proposal won’t be the last word on data breach liability.
If Warren happens to win the Presidency next year — certainly not out of the realm of possibility, despite a crowded Democratic primary field and the immense structural advantages that President Trump enjoys as the incumbent — then the Massachusetts progressive is all but assured to ask the Senate to take up her liability proposal when it reconvenes, possibly with a Democratic majority, in early 2021. So too might any of the dozen-plus Democrats vying to take on Trump in November.
Then again, forecasting the political winds this far out is a fool’s errand. Rather than game out specific scenarios — how they might fare under a President Warren, compared with a President Sanders or Biden or Klobuchar — sober-minded corporate executives would do well to prepare for the possibility of federal statutory changes that may increase their liability for data breaches. After all, while we can’t control what Washington politicians do, we can exert influence over matters closer to home.
Anyway, fortifying one’s corporate security posture isn’t rocket science. You know what needs to be done (and, where you’re not sure, refer to the above). Now it’s time to execute.