As per a new survey conducted among 1,000 nationally representative UK respondents (aged 16+) by Censuswide, on behalf of International Cyber Expo, nearly one in every five (19%) individuals across the UK believe the person(s) who allowed initial entry via phishing, poor security practices etc. should be held most responsible and face the harshest penalty in the event of a data breach at an organisation.
Remarkably, of these individuals, over a third (34%) consider prison to be the most suitable punishment for a data breach.
Granted, a higher proportion of the population (29%) think the cybercriminals who exploited the organisation’s vulnerabilities should be held most responsible.
Yet, historically, most cyber crimes go unreported and cybercriminals are rarely convicted. Indeed, the Crime Survey for England and Wales (CSEW) for the year ending March 2023 estimates there were 745,000 computer misuse offences; however, the National Fraud Intelligence Bureau (NFIB) for the year ending March 2023, revealed that only 26,024 offences were referred to police for further investigation. In other words, a mere 3.5% of estimated offences had been reported.
What’s more, there were only 208 proceedings in 2022 for computer-related crimes, including those under the Computer MisuseAct 1990.
When asked who should be responsible for financially compensating the victims of a data breach (i.e the individuals, not the corporation), 35% believe it should be the perpetrators, followed by the Courts through compensation orders (26%) and the Treasury through the Proceeds of Crime procedures (20%).
However, in each of these scenarios, a clear determination of the offender is required, which – as earlier demonstrated – is not often achieved with cybercrime.
International Cyber Expo’s Advisory Council member, Flavia Kenyon – Barrister at The 36 Group, comments; “It is imperative that cyber laws and regulations continuously adapt to keep up with technological innovation, so that they are fit for purpose in order to ensure clarity, effective compliance, and enforcement.
The current legal framework is fragmented, and in the absence of an overarching cybersecurity legislation, there is a raft of acts and regulations. The Computer Misuse Act 1990, the main act that criminalises unauthorised access to computers, the so-called ‘hacking offences’, is often enforced in conjunction with the Data Protection Act 2018, and even with the Fraud Act 2006, and the Proceeds of Crime Act 2002 to punish those responsible for cyber-attacks, enable asset-tracing and compensate victims.
Additionally, there are mandatory duties (including directors’ duties under the Companies Act 2006) that trigger civil liability and fines for non-compliance under the DPA 2018, the UK-GDPR, NIS Regulations (Network and Information Security Regulations 2018), and the latest Telecommunications (Security) Act 2021, the latter expected to be fully implemented in 2024.
Time will tell if this legal framework can deliver on ensuring protection of our most critical digital infrastructure and of our most-pressured asset, data.
When it comes to liability, and enforcement, it is important to distinguish between software developers, who purely develop the code underlying open-source protocols, from third parties who use the protocol to cause harm and/loss, and those who provide, operate, and control the network, and benefit from it financially.”
Apart from the cybercriminals themselves and individuals who allowed initial entry, 18% of survey respondents believe the CEO or board members of software providers (e.g video conferencing tools, cloud file storage etc.) should be held most responsible for not providing secure products and updates.
A further 15% and 14%, respectively, hold the CEO or board members of the targeted organisation, and the CEO or board members of cybersecurity providers most responsible.
This is interesting in light of the White House’s recently announced National Cybersecurity Strategy, which endeavours to shift the liability for insecure software products and services to the entities making them.
Meanwhile, 16% of respondents maintain that the cybersecurity team of the targeted organisation should be the ones held most responsible; which may add to fears among CISOs of personal liability.
Other key findings:
As many as 21% of respondents assert that no one should be held most responsible or face the harshest penalty for a data breach at an organisation, and 14% maintain that nobody should be responsible for financially compensating victims either.
Over a fifth of all respondents (22%) consider prison to be the most suitable punishment for a data breach; coming in with the highest number of votes, before monetary fine (15%).
Other suitable punishments for a data breach include: Termination/Redundancy (9%), Civil Action/Lawsuit (9%), More Security Awareness Training (7%), Community Service (5%) and Public Shaming – e.g called out on social media (4%).
Other parties deemed responsible for financially compensating victims of a data breach include: the government (20%), victim organisation shareholders (20%), the victim organisation (19%), and the police through community payback (12%).
14% of respondents believe the software developers behind cybersecurity solutions should face the harshest penalty in the event of a data breach at an organisation. This is followed by software developers behind computer applications (e.g video conferencing tools, cloud file storage etc.) and the training provider responsible for the target organisation’s staff awareness (8%).
To hear from leading experts in cyber security on the latest industry trends, research, predictions and more, be sure to attend International Cyber Expo held on the 26th and 27th of September 2023 at London Olympia.
To register for FREE as a visitor: https://ice-2023.reg.buzz/eskenzi