Cyber Security & Compliance   04/27/2016

CEO Responsibilities For Data Breach

By Todd Sexton

CEO Responsibilities For Data Breach

The job of a Chief Executive Officer (CEO) is becoming more difficult every year. Today, in addition to being strategic visionaries and leaders, most CEOs must deal with complex legal issues surrounding their organizations. More often they are being held personally responsible for mistakes made by their organizations. Security breaches are one of the fastest growing legal issues facing many C-level executives.

Since there is no definitive way to prevent a security breach, each CEO must develop a plan of action to combat this issue in order to meet industry regulations. Preparation can not only prevent costly legal and financial issues, but also ensures the longevity of their position. Immediate consequences of a security breach vary, however, the long-lasting effects are undeniable. A tarnished reputation often accompanies security breaches, which can lead to customer loss and a decline in stock price. According to industry research, 51% of customers will take their business elsewhere once their information has been breached.

In addition, the number of lawsuits often stemming from a single breach can be staggering. The Wall Street Journal reports Home Depot faces at least 44 civil suits resulting from the security breach which occurred in 2014.

Battling declining sales and fighting civil lawsuits is only part of the problem. C-level executives also have to face penalties and fines imposed by federal and state authorities for failure to protect sensitive customer data.

Despite high legal and financial stakes, as many as 61% of CEOs report they are not well- prepared to deal with the consequences of security breaches. Many of them are not aware of their organization's previous breaches suffered.

When caught unprepared, C-level executives often have trouble holding on to their positions. Some of the more famous examples include Target’s CEO Gregg Steinhafel and CIO Beth Jacob, who were forced to resign by shareholders for not taking adequate steps to protect customers’ data. The CEO of HB Gary, a high-tech security company, also had to resign after the hacker group, Anonymous, leaked emails stolen from the firm. Other examples of top executives working in financial companies include KB Financial Group, NongHyup Card, and Lotte Card, who had to step down in taking responsibility for the security breach, which affected about 15 million people in South Korea.

As governmental security regulations are increasingly more stringent, and consumers are growing less tolerant of their data being exposed, senior executives must make data security a priority. They need to spend more time understanding security protocols, devise data breach response plans, and implement preventive measures to protect sensitive data. Policies must continually evolve as governing regulations are expected to rapidly evolve to keep pace with emerging changes in cyber-criminal strategies.

All C-level executives need to be prepared to handle a potential security crisis with the help of IT, legal, and PR (public relation) teams. Taking rapid countermeasures and openly communicating about breaches are key factors in effectively managing expectations of a company's shareholders and customers.


  • Becker's Hospital Review
  • Security Magazine
  • Threatpost
  • Wall Street Journal