Should security providers be held liable for data breaches?

Black Hat Asia ended with a discussion started by Black Hat founder Jeff Moss on if security providers, should be held liable for data breaches, because of the critical data they claim to "secure". The recent number of hacking incidents everywhere have made this a widespread issue and security professionals worldwide have voiced their opinions.

"We’re in the midst of a dramatic shift in the scale and motivations behind cyber-attacks. According tothe Symantec Internet security Threat Report, 2014 was the year of the mega-breach – attacks reached a new scale of damage. In fact, cybersecurity has been included in the World Economic Forum’s Global RiskReport as one of the Top 10 most likely risks for two years running" said Mr. Tarun Kaura, Director – Technology Sales, India, Symantec

"It's easy to pass the buck. Businesses that suffer data breach incidents or network intrusions can act in haste and put the blame on firewall providers while citing some help from regulatory norms. However, the irony is that both data security laws as well as IT and network security practices at many organizations have not been able to keep up with the pace of evolving technology and attack methods. Unfortunately, it often takes a highly exposed event of gross misconduct to shake up the law makers or regulatory bodies into legislating measures that address the gap. 2013 witnessed a spate of data breach incidents at world's leading businesses, retail giants and other huge corporations. Their IT, network infrastructure and data centers were apparently put inside some digital fortress. One can always argue saying "what happened to all those next-generation firewalls or advanced sand-boxes?" said Mr. Sunil Sharma, VP Sales & Operations, India & SAARC, Cyberoam

"However, the fact remains that surviving continued blitzkrieg of disruptive technologies requires adequate awareness of security. But we can draw from eye opening evidence that reality is different from what's needed. The Target breach and recent massive hacks into Sony and the US Central Command (CENTCOM), and just about every other major attack are corroborating that poor security awareness is costing organizations a lot of money and reputation. Hence pointing the finger at network or cyber security solution providers is not going to suffice and perhaps remains a biased view." continued Sunil

"The liability and onus of protecting networks, users, applications and data also must be shouldered by those who are entrusted to act as guardians.Many security surveys and findings from breach investigations reveal that businesses lack understanding on baseline security needs and do not have adequate visibility or tab on user activities and network events. Today's organizations are big data companies and there's a need to revisit security posture and fill security gaps. Focus on security should not be limited to external threats alone but also on the latent risks that can come from insiders, i.e. users." added Sunil

"At the same time, if a security solution provider fails to act despite possessing the knowledge about gaps in its products or solutions must be penalized, for any breach that arises due to such negligence is to the detriment of business and sensitive data. Notwithstanding the fact that most security providers remain diligent in enabling timely patches, advisory, threat intelligence and other crucial inputs, it is for organizations to ensure that there's no Achilles' heel in their network or IT infrastructure. This remains key in thriving with confidence while embracing a bold new change amidst digital anarchy." elaborated Sunil.

"In most cases, the breaches are caused because of theft by an employee's authorized access to sensitive information or because the data owner was careless with information security. There are many cases where breaches occurred outside a company's computer network, with lost or stolen laptops, discs, flash drives, and other portable storage devices. In fact, there are many cases of data breaches which do not involve digitized data at all, but occurred because of improper disposal of paper records. For any company experiencing costly a data breach, it is obvious that it will evaluate whether their security company can be held responsible for the mishap." said Rajat Mohanty, CEO of Paladion Netwroks

"To determine who is responsible for the breach one must first understand that Information security involves a security product and a managed security service. If an organization has purchased a solution such as a Security Information and Event Management (SIEM) tool, the creator of the software cannot be held liable in the event of a breach because the product could be handled by in-house security analysts. If a particular event alert was missed or if the SIEM was not configured properly, the manufacturer cannot be held responsible for it. With a product, it is all about how you utilize the features it provides.

A managed security service provider (MSSP), where an information security company such as Paladion is managing the security posture of the enterprise, is involved in maintaining the security products of the organization or uses their own to protect the organization. An MSSP can be held liable if there is a breach if it was an oversight or error by their security analysts that caused the breach. Liability would depend on the service contract that was drawn between the company and the service provider. An outcome based contract will have SLAs and liabilities that commensurate to the value, but a normal manpower based contract will not have this.Paladion provides outcome based information security services and has such contracts with several companies where penalties are defined in case of breaches." added Rajat