Who’s liable if a company provides inadequate security for customer information on its website?
“CEO Out at Hacked Infidelity Website,” The Wall Street Journal, August 29-30, 2015 B4. The CEO at the parent of Ashley Madison steps down after the site’s customer data was hacked and posted.
And expect lawsuits from the customers, some of whom have been blackmailed. And from the estates of the people who committed suicide linked to the hack. And a derivative action by shareholders alleging the directors of the Canadian company failed to provide adequate cybersecurity, as with Target and Sony. And an action by the FTC against the US operations.
Do you have insurance for this? Even if the initial hack were a criminal act, do you still have exposure? Will there be a company (or assets) left?
When you (as a director or CEO or CIO) have a duty to protect the information assets entrusted to your company, what happens if you breach that duty?