Are companies sufficiently held accountable for data leaks caused by ransomware attacks?
Founder and CIO, Self-employed
Companies have to be held accountable in the event of a data leak, especially if it's personal data. If it's their own company data, then they're already losing, but if it's other people's personal data, then they need to be held accountable for that.CISO in Software, 51 - 200 employees
I cringe every time I go to my tax accountant, because he has this old Dell computer with a zip drive attached to it. And I just hope that my data isn't on that zip disk somewhere. But in recent years, he's been filing it online, so I feel better that my data is somewhere else and not sitting on his shelf with the tax returns of all his other clients. There should be an equivalent of HIPAA violations for tax accountants too because I can break into his office and get everybody's tax records.I sit in CISO roundtables at least once a day, and everybody's talking about frameworks to follow. That's important, but it's just another checkbox. I continue to have these conversations and see more companies get hit. I work for a preventative ransomware company, and the companies we're talking to have to follow very strict compliance. They're financial companies, manufacturers, and pharmaceutical companies who are losing the battle.
But lots of companies are recovering from ransomware. It's not affecting them. If they have a huge data breach, they're fine in a couple months, so who cares?
It's interesting because some of these companies are huge and it's not public news that they were attacked. They won't tell you that they got hit, but you can hear the desperation in their voice when they say, "We don't want our pipeline or manufacturing site to go down because every day it's down, we lose 5 million."
Director, Information Security in Education, 1,001 - 5,000 employees
I don't believe so, and not just in the case of ransomware. T-Mobile is a good example. If I am remembering things correctly, they've disclosed *at least* one breach every year for the last few years. This is ridiculous and should not be accepted. It seems that laws around security place a much higher focus on making hacking extra illegal, which doesn't really do much when threat actors are either outside of US Jurisdiction or that of a country with relevant treaties with the US, or they are in such a location but have good enough OPSEC to avoid getting caught. Making an illegal act even more illegal clearly isn't deterring them, but this seems to be the general way things go.There needs to be more focus on holding data holders accountable for reasonable protections. T-Mobile should not be suffering yearly breaches and only suffer some negative press and having to offer free credit monitoring--something that is already available freely from nearly every bank and credit card company. Experian and Equifax collecting data on hundreds of millions of people without any way to opt out should not be able to skate away with offering a "free monitoring" service for the data they clearly failed to protect. Substantial fines--that cost more than the savings from not implementing security controls--and oversight are probably necessary.
Director of IT in Software, 201 - 500 employees
They should be but they aren't, especially PII are leaked.I see a lot of companies rely on cyber insurance to pay the ransom or cover the cost from a breach but if my data is affected there has to be some penalty. I think the laws should be stricter and any PII should be taken seriously and we need to have regulations that will protect PII like HIPPA is doing in the medical field.
Executive Architect in Healthcare and Biotech, 10,001+ employees
Most companies are not being held accountable. Where I have been subject to breaches at credit card issuers and retailers, the settlement usually involves a one-year membership to an identity breach monitoring service, with much of the "penalty" directed to legal representation.As Ajet pointed out, healthcare is the exception thanks to the teeth in laws protecting personal health information. Both providers and payers have been rightfully hit with hefty fines for breaches, and I have observed real improvements in their data privacy protection practices over the last 10 years.
Content you might like
Yes29%
We are currently exploring process mining.45%
No24%
Other (please comment)0%
405 PARTICIPANTS
Slow recovery response times33%
Data availability is limited49%
Too expensive to scale effectively53%
Difficult to manage for widespread use38%
Prone to misconfiguration12%
No - There are no drawbacks6%
581 PARTICIPANTS
Chief Information Officer in Healthcare and Biotech, 1,001 - 5,000 employees
Our quickest spend reduction came from end point standardization and the narrowing of standard equipment to a menu of options. A standard replacement scheduled was implemented allowing a reliable prediction of endpoint costs. ...read moreCTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.Director of IT in Healthcare and Biotech, 501 - 1,000 employees
Overall fit of the provider's services is key in any recommendation when selecting one of the big 3 clouds for any organization. Multi-cloud is significantly more difficult than most companies realize, and selecting a ...read more