By Herman Weasleigh, PhD
December 3, 2020, 3:30pm EDT
WASHINGTON-- The public is fed up. As evidence, Sen. Elizabeth Warren has sponsored a bill that proposes criminal liability for any corporate executive who engages in "negligent oversight of a company causing severe harm to U.S. families."
This bill proposes jail time for executives of companies that fail to protect consumers from certain kinds of data breaches. “For far too long,” says Warren, “CEOs of corporations that break the law have been able to walk away, while consumers who are harmed are left picking up the pieces,”.
The bill is dubbed the Corporate Executive Accountability Act. Under the Act, leaders of companies can be punished with up to a year in jail for damages. The driving force behind the proposed Act is the change in how the physical world has become more and more attached to the Internet through self-driving cars, airline navigation systems and oil pipelines. As a result, cyber-attacks will result in greater physical injury, death, destruction of property and environmental disasters.
Clearly, damage from cyberattacks is no longer solely measured only in dollars and cents "In some ways" says Thomas View, "the Colonial Pipeline attack got our attention in a way that others have not." View is a managing director at TEMVI, PLLC, a cyber security law firm specializing in cyber risk. View put it bluntly "The people living near the pipeline, should be thankful that the attackers just wanted a money ransom. While gas prices spiked to four dollars a gallon, the damage was measured only in money. If the hackers possessed a terrorist intention, they could have incinerated the pipeline." Such a deed could have had obvious and disastrous short-term physical and environmental effects. As well, the economic impact on the world economy would be felt for years to come.
"Financially motivated attacks quietly happen every day," says celebrated litigator and TEMVI managing director Donald Temple. "Financially motivated cyberattacks don't usually attract much press. The public will only feel so much identification and sympathy for a big corporation's loss of money. Also remember--in a ransomware attack--neither the victim nor the attacker wants to make the attack public." Typically, in ransomware attacks, silence--on the part of both the victims and attacker--is a desirable outcome. Temple goes on to explain that, in contrast, when the attacks have effects in the physical world, people pay attention.
"Terroristic actions are designed to create mass hysteria. People pay attention when they or a loved one may be injured or killed. And it follows that death and destruction will be widely covered in the press. As a result, the public has greater knowledge and fear of a cyberattack connected to physical infrastructure." Also, Temple reminds us, effects of a cyberattack resulting in death or bodily injury will be felt more deeply in courtrooms.
"Judges and juries want to punish particularly negligent CEOs where people are harmed. Judges will also seek to pierce the corporate veil (i.e. hold the CEO's personally liable) under a theory of gross negligence when people are injured. Physical injury is not limited to industrial or manufacturing environments.
All businesses must keep employees physically safe. Typically, this is done using security systems that operate or are monitored through the Internet”. Effects of attacks on cyber-physical systems have political effects as well. Temple continues, “Voters are pressing lawmakers to pass laws holding grossly negligent CEOs criminally liable when the attack results in death or bodily injury "
Gartner, a global advisory and technology research firm indicates that the trend toward CEO personal criminal liability is gaining momentum. According to Gartner, liability for cyber-physical security incidents will rise to 75% of CEOs who negligently manage IT systems by 2024. Due to the nature of cyber-physical systems, incidents can quickly lead to physical injury, destruction of property or environmental disasters. Gartner analysts predict that cyber-physical systems incidents will rapidly increase in the coming years due to a lack of security focus and spending currently aligning to these assets.
Bruce Hargrave, TEMVI managing director and CISSP with 30 years of serving companies like Northrop Grumman and Toshiba offers his perspective. "CEOs are typically used to treating cyber security as an afterthought or something in the domain of the technical staff onl," he adds. "Often leadership doesn’t see how cybersecurity is--first and foremost--an executive management function. The CEO has as much responsibility for securing data as he or she has to secure any other critical asset like money, intellectual property, trade secrets or the safety of human resources." “Regulators and governments are expected to react promptly to an increase in serious incidents resulting from failure to secure cyber-physical systems. Expect to see drastically increasing rules and regulations governing these systems” said Katel Theilemann research vice president at Gartner. “In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
Gartner predicts that the financial impact of cyber-physical systems attacks resulting in fatal casualties will reach over $50 billion by 2023. Even without taking the actual value of a human life into the equation, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. “Technology leaders need to help CEOs understand the risks that cyber-physical systems incidents represent and need to dedicate their focus and budgets to securing them,” said Thielemann. “The more connected [to the Internet] cyber-physical systems are, the higher the likelihood of an incident occurring. ”With smart buildings, smart cities, robotic manufacturing and autonomous vehicles on the street right now, incidents in the digital world will have a much greater effect in the physical world.”
"The wise CEO," says Temple, "will get ahead of the wave of litigation and learn what he or she needs to do to protect their reputation, assets, and freedom."
Ayan View contributed to this story
Copyright 2021 TEMVI, PLLC All Rights Reserved