Following the news that a lawsuit filed in Federal District Court in San Jose is accusing Yahoo of gross negligence in connection with a 2014 breach in which data was stolen from more than 500 million users, Security experts from Tripwire commented below.
Tim Erlin, Senior Director of IT Security and Risk Strategy at Tripwire:
“Financial loss is absolutely a motivator for organizations to implement stronger security controls. A successful civil suit, with material damages, will cause other organizations to take notice and work to avoid the same culpability. Compliance regulations and the associated audits are simply a forcing function to make financial loss predictable through fines. When a government or regulatory organization doesn’t think its members are meeting their obligations around information security, a compliance structure can serve to push them forward in a more predictable way than waiting for a breach or incident.”
Craig Young, Security Researcher at Tripwire:
“There are several components that must be considered before labeling a company as acting with gross negligence surrounding a breach.
At a high-level, we can break an organization’s behavior into how they behaved prior to the breach, during the breach, and after the breach was discovered. It is natural to expect organizations to do everything they can to prevent breaches, but it is unreasonable to expect that any computer network can be made impenetrable in the face of a well-resourced and determined attacker. At present there is no definitive answer as to the absolute best way to secure a business, but there are various regulations from governments as well as industry groups detailing baseline security levels. If an organization is appropriately following these guidelines it would be difficult to consider them as having been grossly negligent, but it is perfectly reasonable to ask if these policies are enough moving forward.
Businesses should always anticipate that a breach may be possible and put safeguards in place to limit the damage an attacker can do once inside the network. In my opinion, the actions of an organization during a breach are generally more important than what was done to prevent the breach. Ultimately, it should be much easier to detect and shutdown an active breach than it is to prevent them. Unfortunately, it is pretty normal that attackers can keep their breach under the radar for 6 months, or even years, before being thrown out. When evaluating if negligence occurred, it is important to look at how long the breach went undetected and whether it should have been possible to react sooner using industry best practices.
The final stage of breach handling is, of course, the incident response. It is important to evaluate how quickly the attackers were ousted, whether the organization is able to account for what the attackers may have accessed within the network, and the timeliness and transparency with which the organization notifies those who may be impacted by the breach. If an organization delays notifications, or is unable to provide clear information to those affected, this should certainly weigh heavily toward a determination of gross negligence. Depending on operating locations, there are likely many regulations pertaining to breach notifications and this is an area which is certainly more black and white than questions about whether general security policies were sufficient.
In the end, however, I expect that if civil litigation after a breach event becomes more common, CISOs and others in charge of risk management will factor this into the equations used to determine how much will be spent on security.”