In the current digital world, a week doesn’t end without headlines of major companies suffering massive data breaches, which exposes millions of customer data. So to say, the first half of 2021 has seen more than 118.6 million people suffer from data breaches, data leaks, and exposures. This is 38% of the 2020s figure. However, with networks becoming less secure and data stored on the cloud becomes increasingly valuable, the cost of cybersecurity breaches is becoming expensive.

While cybersecurity professionals and IT experts can’t stop cyberattacks, data breaches occur if steps to protect data aren’t taken. If such happens, a common question that affected parties ask is who should take responsibility for the breach.

What Does the Law State?

Unfortunately, the current legal provisions guiding data breaches aren’t detailed. Apart from the laws that require businesses and companies to disclose data breaches to affected customers, there are very few legal provisions governing who should be responsible for data breaches.

According to the current legal provisions, the organization storing user data should be held responsible for data breaches and should foot any fees or fines resulting from legal actions. Interestingly, organizations that provide cloud storage services or data holders cannot be impacted legally or held responsible. If a breach occurs, the holder should only notify data owners.

Interestingly, the liability of data owners depends on the measures it took to safeguard user data. For instance, if the organization fails to control or regulate who can access the network or doesn’t encrypt user data, it will take full responsibility for the damage caused by a data breach. Organizations and data owners will also take responsibility for failing to inform affected customers of a breach.

Nonetheless, most international data privacy laws guarding breaches are the same. For instance, the European Unions’ GDPR and Japan’s APPI require businesses and companies to take stringent measures to safeguard customer data and inform customers of a breach.

Who Should Be Blamed for Data Breaches?

Even though the law isn’t clear, below are some parties that should take the blame depending on the situation.

  1. CEOs and Business Managers

If a business doesn’t have a sufficient budget to invest in cybersecurity solutions, such as data encryption, the responsibility of data breach often falls on who makes financial decisions for the company. This includes business managers, departmental heads, and CEOs. A recent study on IT professionals concluded that 39% of them agree that CEOs should take the primary responsibility if a massive data breach occurs.

62% of study participants also believe that CEOs and company boards should be aware of company policies towards data breaches. In most situations, assigning blame to company CEOs makes a lot of sense. This is because they are responsible for technological innovations in the company and determine how the company addresses cybersecurity threats.

This explains why several CEOs have resigned and stepped down following large-scale cyberattacks. For instance, Target’s CEO resigned in 2014 after the company suffered a serious data breach that exposed more than 40 million debit and credit card numbers.

  1. Data Security Operations Personnel

Cybersecurity experts who operate daily IT operations in your business can also make mistakes leading to serious data breaches. A 2014 report found that 95% of cybersecurity incidents occur due to human error. In most cases, those tasked with the support and maintenance of cybersecurity systems aren’t qualified enough. As such, hiring competent and well-trained data security personnel to run upgrades and fix patches is crucial.

  1. Chief Information Security Officers

If your company suffers a data breach despite spending enough on mitigation measures against cyberattacks, chief information security officers of CSOs are to blame. A 2017 survey found that 21% of security experts would hold their CSOs responsible if a data breach occurs.

CSOs should take the blame if cybersecurity teams fail to detect and mitigate a breach. This is because they are responsible for updating and maintaining the optimal performance of your cybersecurity technology. Therefore, if the glitch resulted from poor monitoring or maintenance, CSOs should take responsibility.

  1. Third-Party Vendors

Unknown to most businesses, third-party vendors, partners, and supplies also pose significant cybersecurity risks. A survey found that 63% of recent data breaches originated from third-party access. Therefore, as companies prefer hiring third-party contractors to save the costs of hiring full-time employees, it increases the organizations’ vulnerability.

  1. Customers

While most people won’t listen to this line of argument, some IT experts place the responsibility of data breaches on customers. According to this line of thought, customers are the ones who provide information willingly to companies. Therefore, before providing their information, customers should ensure that companies have uptight security standards.

Final words

Preventing a data breach is a responsibility that everyone in the organization should take. While the debate on who should take the blame may not end soon, organizations should take appropriate measures to mitigate data breaches.