2020 – The Year of Cyberattacks
As everyone knows, the year 2020 brought with it significant difficulties. Mostly notably, the coronavirus pandemic forced millions of people into self-isolation, unable to leave their homes. Consequently, individuals began working from home, relying almost completely on digital technology. Though this transition allowed 80 percent of economic sectors to function seemingly normal, the move to an almost entirely digital world created a hotbed for cybercriminals.1
Some of the higher profile cyberattacks include several phishing screams directed at the World Health Organization (WHO) and the Twitter hack that breached the accounts of many popular celebrities like Joe Biden, Elon Musk, Jeff Bezos, Kanye West, and Kim Kardashian.2 In fact, one of the most trusted cybersecurity firms in the country, FireEye, faced a massive security attack.3
Unsurprisingly, according to Risk Based Security, 2020 was the “worst year on record” for data breaches with approximately 36 billion records exposed.4 With this major increase in data breaches and cybercrimes, many are quick to place the blame on various actors, such as data owners, data holders, technology creators, IT staff, or company executives. However, in reality, it is difficult to accurately assign liability for data breaches.
Current data breach laws dictate that data owners are liable for data breaches, most likely being the organization that collected or purchased the data.5 Although the entity storing the data can face public scrutiny for breaches, they ultimately cannot be held legally responsible.6 Yet, within the sphere of the data owning entity, it is unclear which actors in the organization can actually be held liable.
Normally, a data owner’s accountability depends on the number and types of safeguards it utilizes to protect its user’s data.7 Common safeguards companies employ to protect data is encrypting user data and barring outside access to company networks.8 In a majority of organizations, the IT department is charged with instituting these types of safeguards.9 Therefore, if IT staff fails to properly protect data, they are the first people to point the finger at.
Nonetheless, CEOs and other high-level executives typically accept the blame for data breaches.10 This is so because unsecured data is usually not the fault of the IT department, but instead, is due to the lack of funds necessary to properly protect data.11 Since executives head budgeting and allocation of funds, it is only fitting for them to accept legal responsibility and pay back the appropriate amount in damages.12
Many also seek to place blame on the creators of the software or hardware that was breached. The Cyberspace Solarium Commission report released by Congress even recommended passing a law that would hold creators of software or hardware legally responsible for all “unpatched vulnerabilities.”13 Practically, however, it makes more sense to hold assemblers to minimum security standards, for which they will be held liable for if they do not meet, while placing the rest of the security burden on the company using the firmware.14 In this way, entities that fail to take adequate security measures cannot escape liability simply because the programs they use have some unescapable vulnerabilities.15
Although blame for data breaches can be passed to many different actors, the best course of action is to stop cyberattacks before they come. Since remote work relying almost exclusively on digital technology is likely to persist for the foreseeable future, companies must allocate adequate resources to protect their data and networks from attacks. This includes hiring more IT and cybersecurity staff as well as training employees on proper security procedures.
See Dan Lohrmann, 2020: The Year the COVID-19 Crisis Brought a Cyber Pandemic, Government Technology (Dec. 12, 2020), https://www.govtech.com/blogs/lohrmann-on-cybersecurity/2020-the-year-the-covid-19-crisis-brought-a-cyber-pandemic.html [https://perma.cc/M9VT-CTYD].↩
Lohrmann, supra note 1; Kate Conger & Nathaniel Popper, How an Online Attack ‘Brought Twitter to Its Knees’, N.Y. Times (Nov. 23, 2020), https://nyti.ms/3kOvxT0 [https://perma.cc/C4AX-6839].↩
See David E. Sanger & Nicole Perlroth, FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State, N.Y. Times (Dec. 8, 2020), https://nyti.ms/3oDEvF5 [https://perma.cc/HF4E-RSY3].↩
Lohrmann, supra note 1.↩
See Kayla Matthews, Who’s Financially Responsible for Cybersecurity Breaches?, Security Boulevard (Sept. 17, 2019), https://securityboulevard.com/2019/09/whos-financially-responsible-for-cybersecurity-breaches/ [https://perma.cc/XU3T-6UJQ].↩
Chris Wysopal, Determining Liability For Security Breaches Isn’t Black And White, Forbes (May 26, 2020, 7:15AM), https://www.forbes.com/sites/forbestechcouncil/2020/05/26/determining-liability-for-security-breaches-isnt-black-and-white/?sh=61940aecaf75 [https://perma.cc/D44C-6ZU7].↩