Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

Can a CISO Serve Jail Time?

Have you ever wondered what it would be like to spend a few years behind bars? Well, CISOs better know what they are doing as it is becoming a risky business, not for the faint of heart. It is an exciting area of law with the strict compliance mandates that criminalize inappropriate disclosure of data deliberate or not. I am referring to the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX).

This article will cover how a violation under HIPAA or SOX can land C level executives in the federal slammer. I will be discussing the following:
  1. Corporate Veil
  2. Director’s and Officer’s Liability Insurance (D&O)
  3. Cybersecurity Breaches
  4. HIPAA
  5. SOX

1. Corporate Veil

Legally speaking, a corporation is one of the best liability shields you can have. It is its own entity that is, for most purposes, the body that the rest of the world is interacting with when they interact with anyone empowered to represent it and make decisions on its behalf. It, and not its agents, bears the full brunt of any legal liability for damages caused by actions or inactions of the company or its agents.

As such, CISO’s probably are not going to convince the executive team, or the board of directors, or even middle management that they would bear any general liability for a breach of security. To do this, you would have to prove specific and deliberate intent to harm. For example, an executive saw a name on a list of customers, didn’t like that person or company, and wanted to hurt them. That led to their deliberate decision not to fix a known security flaw. This is next to impossible to show all the evidence you want. Even if you have a recording of the CEO saying they wanted to harm this person’s interests, you cannot prove that a CEO’s decision to fix or not fix a flaw was motivated. It’s all circumstantial (though a recording would go a pretty long way towards “preponderance of evidence”).

There are, however, some instances where specific people can be held liable independently from the company. For example, if a spouse works with healthcare records and that person ever told anyone, even the other family members, any specifics of that data and that became public, that person is on the line for the HIPAA violation, also if her boss told her it was approved or even ordered to divulge the information. This liability does not extend to anyone who was not aware of the events at the time, so the CISO is going to have a tough time proving that an action by an employee down the food chain of the organization implicates the CEO.

Where it might implicate, an executive is where it matters most, their wallet. Executives typically own a significant stake in their own companies, which forms a relatively large chunk of their net worth. The company is their shield, but it’s also their livelihood, and it will take a beating if a security flaw in their systems is found, exploited, and subsequently makes it into the media. Corporations cannot go to jail, but they can be fined and sued to death, and the executives lose all the money they had in corporate stocks and options. Recent examples such as Target, instead of taking a pounding the Board of Directors dismissed the CEO and other executives and worked toward their responsibilities to do what was necessary and correct the matters.

2. Director’s and Officer’s Liability Insurance (D&O)

Another shield corporations have to protect its directors and officers from liability is D&O. It covers directors and officers of companies from damages resulting from alleged or actual wrongful acts they may have committed in their positions. These policies provide protection in the event of any actual or alleged error, misstatement, omission, misleading statement, or breach of duty. Directors and officers liability insurance are needed when a board of directors is assembled. Investors usually require that directors and officers have liability insurance as part of the conditions for funding a company. D&O covers any criminal, administrative, civil, and regulatory proceedings based on actual or alleged acts, errors, omissions, misstatements, neglect, or breach of duty committed or allegedly committed by a director or officer.

CISOs may or may not be covered depending upon the corporate reporting structure often times the title is meaningless and is not considered a right director or officer leaving the CISO vulnerable should an incident occur.
In 2008, I collaborated with CSO Magazine to further define this issue in this famous article:

Data Breach Fallout: Do CISOs Need Legal Protection?

Since the security executive is on the hot seat after a data breach, some industry experts suggest CISOs get themselves some form of liability protection. The downside is that such protection could shield those who deserve the blame for an incident.

3. Cybersecurity Breaches

What’s important today, damages from privacy breaches often are not covered by directors and officers (D&O) insurance, directors may face significant personal exposure. For example, If a corporation is the target of a cyberattack resulting in a data breach, its board may be the target of a shareholder derivative action claiming breach of fiduciary duty. A recent example is Palkon v. Holmes, No. 14-cv-01234 (D.N.J.), in which a shareholder of Wyndham Worldwide Corporation sued its directors and senior officers, claiming that their failure to implement adequate information security policies allowed three data breaches, resulting in the theft of over 600,000 customers’ personal and financial data.

The legal precedence is based under Delaware Law where directors owe fiduciary duties of care, loyalty and good faith to their corporation. The first two duties result directly in liability if violated. The third duty is Good faith. It's not an independent fiduciary duty but rather an element of the function of loyalty, as a director cannot act loyally toward the corporation unless she performs in the good faith belief that her actions are in its best interests.

Observations and Recommendations to Protect Against Liability: A legal study of recent breaches such as Target and others

If a data breach occurs, plaintiffs’ lawyers will evaluate the board’s decisions and actions concerning cybersecurity. They also will evaluate whether the board appointed and supervised well-qualified officers and committees to safeguard information. To minimize the risk of liability, the board must become well-informed of the company’s cybersecurity practices and its protocols for dealing with a data breach. An informal, working understanding, based on occasional communication with management, is not sufficient. There are several ways the board can become adequately informed. It should appoint officers with expertise in cybersecurity, including a chief information officer (CIO), chief information security officer (CISO) and/or chief privacy officer (CPO), and regularly meet with them to ensure their vigilance and to understand their expectations and plans. These officers should head a department whose sole or primary responsibility is information security, and which includes employees whose sole responsibility is cybersecurity.

The board also should appoint a committee responsible for privacy and security. Its members can include the above officers, plus senior management from various departments. The committee should meet regularly and afterward report directly to the board. The board should recruit and hire at least one tech-savvy member who can be responsible for monitoring and reporting on cybersecurity. This way, the board will not be entirely dependent on nonmembers for relevant information. The “cybersecurity” director can sit on the privacy/security committee described above.

To follow best industry practices, the board should investigate how its competitors address cybersecurity and read the best-known cybersecurity recommendations, such as the National Institute of Standards and Technology (NIST) framework. With the aid of qualified management, the board should assess corporate policies against these standards. The board also should ensure that the company has identified and classified its data. Some data, such as personal identifying information, health information, and financial information is particularly sensitive and requires more significant attention to security. Depending on the nature and volume of the company’s data, the board may engage an outside vendor to help manage cybersecurity. If the board does so, the contract with the vendor must address critical issues, including security requirements, warranties, audit rights, backup systems, data-destruction policies and breach notification. But even if the company can protect its data without outside experts, the board periodically should engage them to audit the company’s cybersecurity practices and report their findings directly to the board. The committee then should review any differences between the recommendations of outside consultants and company officers.


Spanning a two year period, a former emergency department worker, Dale Munroe II of Florida Hospital Celebration gained unauthorized access to more than 763,000 electronic patient health records and sold 12,000 of them to a co-conspirator (and operator of two chiropractic centers) to solicit patients for legal and chiropractic services. While they may have viewed this as a way to quickly gain a network of potential clients, the HIPAA Privacy Rule dictates that they clearly accessed Electronic Patient Health Information (ePHI) inappropriately and misused the data by selling it. The insider threat means covered entities and business associates have to stay vigilant by monitoring and investigating any suspicious activity.
I will discuss two vital elements under HIPAA:

Business Associates
Anyone who has access to patient information, whether directly, indirectly, physically or virtually. Additionally, an organization that provides support for the treatment, payment or operations is considered a business associate, i.e., an IT company or a billing and claims processing company. Other examples include a document destruction company, a telephone service provider, accountant or lawyer. The business associates also have the responsibility to achieve and maintain HIPAA compliance regarding all of the internal, administrative and technical safeguards. A business associate does not work under the covered entity’s workforce but instead performs some type of service on their behalf. So, in a nutshell, the CISO who’s sole responsibility is to ensure the safeguards are in place is on the hot seat should a breach occur.

Business Associate Agreement
The standard agreement document that clearly defines the roles and responsibilities of a business associate and the covered entity. The other critical piece of the Business Associates Agreement is the assurance that businesses will take proper steps to implement the appropriate administrative, physical and technical safeguards. This means that the business associate’s CISO is also on the hot seat should events occur under their control.

A Florida hospital, part of a 37 hospital network under Adventist Health System faced a class action lawsuit as a result of a data breach. Affected individuals were seeking damages for failing to secure ePHI (the former worker has been sentenced to a year in federal prison along with his wife Katrina Munroe and Sergei Kusyakov as conspirators). The buck does not stop there as now the executive management are implicated and face a barrage of lawsuits because of negligence. The reason was hospital employee was, in fact, able to with only log-in credentials permitted to share credentials and their logins were allowed to be used to access multiple computers at the same time from various locations. It also maintains that they failed to train and monitor its employees’ access to sensitive information. The allegations also disclosed the hospital’s failure to segment and control its database in compliance with the HIPAA security regulations and industry standards fell short of its promises patient agreements and privacy policies. Policies should meet the HIPAA Security Rule’s organizational, policies and procedures documentation requirements, §164.316(a) which states:

  • Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other provisions of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach].
  • This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart.
  • A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented by this subpart.
Staff training is also required by the security awareness and training standard of the Administrative Safeguards required by the HIPAA Security Rule, 164.308(a)(5) which states:
  • Implement a security awareness and training program for all members of its workforce (including management).
The lesson learned here is that one employee at one hospital can cause a significantly costly and messy legal case for the health system at large, if they fail to meet HIPAA compliance people go to jail and that includes the executives, litigation gets drawn out for years, and loss of credibility can deter the most loyal consumers. It is a wake-up call to healthcare CIOs, CISO’s, executives, physicians, nurses, technical and administrative staff. The physical and informational safeguards required by HIPAA are worth the ongoing investment if they wish to avoid the consequences of a data breach.

5. SOX

If you are a CEO, CFO, any other c-level executive (including CIO, CTO, and CISO), it is much more likely you won’t have to waste too much time wondering they also fall under SOX. Since SOX was passed and the many high-profile corporate fraud cases that inspired it have splashed across the headlines, more corporate officers have come under scrutiny by state and federal prosecutors than at any time in recent memory. The rub is, the CEO and CFO are the only corporate officers required to actually sign SOX-related documents stating all is well with the company’s financials. Direct reports are all too often being needed by the CEO and CFO to sign “roll-up” documents that conclusively state that the financials (and the systems generating and protecting those financials) the CEO/CFO are signing off on are indeed accurate. What does that mean to the CISO? It means that financial data must be secured and cannot be accessed or tampered with. CISOs must ensure proper access controls and monitoring are in place to further justify the integrity of the financials. Those roll-up documents put the CIO and CISO on the hot seat right along with the CFO and CEO.
So, in the event of a SOX violation, instead of spending the night in bed with your spouse, you would be bunk bed buddies with the CIO, CFO or CEO in the federal slammer.

Based on a recent, in-depth study of SOX activities by Kathleen Wilhide, a research director with IDC, upwards of 90% of direct reports were being asked to sign roll-up statements.
I’m sure the people signing it are not thrilled about signing it, and I have heard that.
And this means, that you, the CIO and CISO, are now more likely than ever to find yourself in front of a judge. Since its passage in 2002 and the subsequent establishment that summer of the President’s Corporate Fraud Taskforce (which handles all cases of corporate fraud), more than 693 fraud convictions or guilty pleas have been secured in 577 separate cases involving 1299 individuals.
According to the Securities and Exchange Commission (SEC), in the three years prior to the passage of SOX, the SEC (which does not bring criminal charges against corporations or individuals but civil actions) reported only 292 “Issuer Financial Disclosure Actions” (or, in layman’s terms, “creative accounting” actions). Since 2002, and the passage of SOX, that number jumped significantly to 490, a 40% increase.

While this increase cannot be directly linked to SOX, it is a safe bet that the two are related. In other words, the anti-fraud statutes already on the books are more than enough to bring charges against wayward corporate executives. So the question of the day for CIOs and CISOs, since they are ultimately responsible for the systems, infrastructure and security that generate/protect the financial reports the CFO and CEO sign off on, is the culpability they may be a part of for another’s mistake or worse, subterfuge. While no CIO or CISO has yet been implicated to date under SOX, ignorance, as the expression goes, is no excuse for breaking the law. With that being the case, it’s a safe bet that a trip down the hall to legal might be in order.

It is, without a doubt, the career path of any security professional going up the corporate ladder and into the mahogany office rows inside the executive ivory tower is not without significant risk. Executives have fiduciary responsibilities where the buck stops on their desks. Their decisions and actions affect the entire organization and indirectly the public. The legal aspects of data breaches are dangerous as described in HIPAA and the potential with SOX. People involved go to jail and will implicate the executives finally wrongdoing it is that simple.