High profile data breaches and ongoing media attention on data security have resulted in some interested developments in the practice of IT security. The recent consumer settlement following the Target breach set a precedent for large future breach resolutions in both the public and private sector. It establishes criteria to demonstrate harm, a process to make the claim, and defines what people are entitled to.
While the settlement can be considered a win for Target, in the parameters were set for people to collect damages, the fact that the class action approach resolved a major consumer data breach means more settlements of this type are likely. With that in mind, security becomes an executive and board level discussion.
This executive involvement is critical, as a recent survey found that 70% of respondents believe the CEO is ultimately responsible for data breaches. According to respondents, laws concerning data breaches should include:
- Fines (65%)
- Mandatory disclosure (68%)
- Compensation for consumers’ affected (55%)
The precedent set by the Target settlement, the consumer agreement around responsibility laying in the C-Suite, and the expectation of fines and compensation clearly move the security discussion out of the server rooms and into the board rooms.