Axing Boss Is Data Breach Response Last Resort

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Aug. 9 — Scapegoating the boss over a cybersecurity incident that compromises customer data or reveals unsavory internal communications usually isn't the first option in a breach response.

Data breaches may result in consumer class actions, organizational embarrassment, a drop in the price of a company's stock and brand reputation damage, but top executives generally get axed as a last resort, cybersecurity professionals told Bloomberg BNA.

The termination or resignation of a top executive in response to a data breach incident is “the exception, not the rule,” Leigh Nakanishi, senior vice president of Data Security and Privacy at public relations company Edelman, told Bloomberg BNA.

How an organization responds to data breach fallout depends on many factors, including the size of the organization and available resources, cause of the breach, initial incident response and the nature of the information that was leaked or compromised, privacy and cybersecurity professionals said.

timeline

DataGravity Inc. Chief Information Security Officer Andrew Hay said that a company executive may be more vulnerable to termination if doing so makes sense in a company's “risk equation.”

If an organization is expected to lose a significant number of customers as a result of a breach, firing an executive might mitigate the damage to the organization, Hay said. But if terminating an executive won't have a “material impact” on a company's business, it won't bother, he said.

The number of data breaches held steady at just over 780 reported incidents per year in 2014 and 2015, according to the Identity Theft Resource Center. Clearly, the heads of organizations weren't fired in each of those 780 incidents.

But as the former heads of Target Corp., Sony Pictures Entertainment Inc. and the Democratic National Committee can attest, if the potential stakes are high enough, the pressure to force their exit can become overwhelming.

Democratic National Committee Hack

Cybersecurity company CrowdStrike Inc. announced June 14 that hackers allegedly tied to the Russian government gained access to Democratic National Committee's (DNC) servers and secured research files on Republican presidential nominee Donald Trump (15 PVLR 1276, 6/20/16). Insiders reported that hackers may have also gained access to networks of Democratic nominee Hillary Clinton's campaign, law firms, lobbyist, consultants, foundations and think tanks (15 PVLR 1329, 6/27/16).

On July 22, three days before the start of the Democratic Party's national convention, nearly 20,000 DNC e-mails and related stolen documents were posted online by WikiLeaks. The e-mails and documents revealed, among other things, the DNC's internal discussions of the presidential campaign of Sen. Bernie Sanders (D-Vt.) and how the organization interacted with major donors.

In the resulting fallout, DNC Chairwoman Rep. Debbie Wasserman Schultz (D-Fla.) resigned on the eve of the Democratic convention in Philadelphia (15 PVLR 1566, 8/1/16). Additionally, DNC Chief Executive Officer Amy Dacey, Chief Financial Officer Brad Marshall and Communications Director Luis Miranda announced Aug. 2 they will resign from the organization. The DNC didn't respond to Bloomberg BNA's Aug. 8 request for confirmation of the resignations.

Meeting Expectations

The most important factor in an executive's post-data breach vulnerability is the type of information revealed, Nakanishi told Bloomberg BNA. Whether an executive was negligent or failed to meet minimum data security requirements and whether the initial incident response was properly executed are also important factors in deciding whether to sever ties with an organization leader, he said.

According to Hay, the size of an organization and its ability to recover from data breaches also influence whether termination of an executive is a viable option.

Larger organizations can handle the fallout and the change of leadership, Hay said. Larger companies can afford to “fall on the sword, apologize and hire people for damage control and to make sure it doesn't happen again,” he said.

Nakanishi said that “companies are judged on their responses to data breaches and communication is very important.” How a company responds to a data breach is “absolutely a part of protecting its reputation,” he said.

When dealing with a full-fledged crisis, at a certain point, it may become big and embarrassing enough that “somebody has to be held accountable,” Nakanishi said.

Reputational Harm

Despite the frequency of data breaches in the past few years, only few incidents escalated to become high-profile incidents, meriting a resignation or termination of an executive.

A common element among these high-profile data breaches is the reputational harm caused by the data breach.

For example, Target Corp. was hacked December 2013, during the height of the holiday season, significantly harming the retailer's reputation and fourth-quarter sales (13 PVLR 61, 1/13/14). Following a Senate inquiry that criticized Target's management for failing to react sooner to warnings, then-Target Chief Executive Officer Gregg Steinhafel resigned May 2014, after spending 35 years at the company (13 PVLR 834, 5/12/14).

The December 2014 Sony Pictures Entertainment Inc. hack (13 PVLR 2063, 12/8/14) leaked yet-to-be-released movies, employee information and private e-mails.

Then-Sony Co-Chairman Amy Pascal was one of the highest profile Sony executives whose e-mails were leaked, revealing her derogatory comments about President Barack Obama and famous Hollywood actors. As a result of the breach, Pascal resigned February 2015, after apologizing for the content of her e-mails.

The Target and Sony hacks resulted in executives resigning due to the reputational harm to the company caused by the leaked information. However, another data breach incident highlights how customer embarrassment may result in the termination of a company executive.

Hackers July 2015 infiltrated adultery website AshleyMadison.com and released information on more than 36 million users (14 PVLR 1564, 8/24/15). The data dump leaked full names, e-mail addresses, partial credit card data and other sensitive personal information, including dating and sexual preferences.

One month after the data breach, Noel Biderman, the CEO of Ashley Madison's parent company Avid Life Media, resigned. In a statement, the company said Biderman's resignation is “in the best interest of the company and allows us to continue to provide support to our members and dedicated employees.”

Chief Information Scapegoat Officer?

Following the resignation of its CEO, Target June 2014, hired the company's first chief information security officer (CISO) an effort to prevent another massive data breach. However, simply designating a CISO isn't the solution, Hay said.

There are so many types of CISOs and some companies are promoting people to the position “just to check the box” or use them as a scapegoat, Hay said. The smaller the organization, the more likely that the CISO will be a “Swiss army knife, instead of a spear with a pointy tip” leading the cybersecurity effort, Hay said.

According to a recent report by Bay Dynamics, more than half of information technology and security executives, including CISOs, will lose their jobs due to inadequate cybersecurity reporting (15 PVLR 1272, 6/20/16). The report highlighted the lack of communication between IT executives and boards.

Hay suggested separating executive roles for data storage and protection.

“Storage is nine-tenths of protection of privacy,” Hay said. Companies should create teams with “ownership” of data and place a team of executives, including the CISO and the chief data officer or chief risk officer, in charge of protecting that data.

Nakanishi agreed that the responsibility to prevent and respond to data breaches shouldn't fall just on the CISO. Companies should have a team of executives in charge of cybersecurity, each with different roles and responsibilities, he said.

With cybersecurity threats becoming a part of doing business, companies are increasingly preparing beforehand.

Historically, companies have approached public relations firms, such as Edelman, “later in the process when the reporters are calling” and the situation is becoming chaotic, Nakanishi said. Now, more companies are preparing for data breach responses in advance, he said.

“Cybersecurity risks are being recognized more. People now know how damaging to the company's reputation a data breach can be,” he said. Data breaches and having a plan to communicate with clients after such incidents have become “business issues,” Nakanishi said.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.