Skip to main content
banner image
venafi logo

Can Encryption Save Execs from Blame in Breaches? [Ask Infosec Pros]

Can Encryption Save Execs from Blame in Breaches? [Ask Infosec Pros]

Corporate Executive Accountability Act
July 23, 2019 | David Bisson

Organizations worldwide continue to struggle with responding to data breaches in a timely manner. Per IBM’s 2018 Cost of a Data Breach Study, an organization took an average of 174 days to identify an instance of human error and 57 days to contain it. The numbers were even greater for system glitches (177 days to detect and 60 days to contain) and malicious attacks (221 days to spot and 81 days to resolve).

Such long discovery times give digital attackers ample opportunity to move laterally on the network, compromise critical assets and exfiltrate sensitive data. It’s thus no wonder that many security incidents end up costing organizations as much as $157 to repair each breached record. Given that the average 2018 incident in the United States exposed 31,465 records, data breaches involving criminal attacks can easily cost U.S. organizations millions of dollars, not to mention expose thousands if not millions of consumers to identity thieves.


The Corporate Executive Accountability Act

Many of us have grown weary of the ceaseless stream of news headlines announcing data breaches. Among them is Elizabeth Warren, a U.S. Senator from Massachusetts who feels that the buck stops in the boardroom and in the CEO’s office. It’s with this viewpoint in mind that Sen. Warren crafted S. 1010: The Corporate Executive Accountability Act.


Introduced in April 2019, the Corporate Executive Accountability Act seeks to amend Part I of title 18 in United States Code with an additional chapter that pertains to executive officer negligence. This added content specifically states that executives at covered corporations could face fines and even jail time if they permit or fail to prevent a violation that affects the “health, safety, finances, or personal data” of at least one percent of the population of the United States or their state. A data breach would therefore constitute such a violation.


The purpose of this Act is to use the threat of criminal liability to compel executives into taking greater responsibility for their organizations’ digital security. But that begs the question: does the Act provide adequate compulsory power to engender such a change?


Sam Bocetta, independent journalist, doesn’t think so. He takes issue with the fact that “the top boss should pay a personal price when things go wrong inside a sprawling corporate entity.”


“Let’s transfer the scenario to a different environment, say FedEx. When a driver in Smalltown, USA blows a stop sign because he’s texting, then flattens a cat, plows through a rose garden and lands in a swimming pool in the resulting sequence of events, does [FedEx CEO] Frederick W. Smith expect to be hauled off in chains from behind his fancy desk that very afternoon? Perhaps not if he’s taken what a reasonable human being interprets to be proper precautions like maintaining the truck fleet to a good mechanical standard, screening drivers to weed out the whackos and malcontents and most importantly carrying lots of insurance for this kind of thing.” 


Those reservations aside, other security professionals are more optimistic about the legislation. Digital security writer Tassos Arampatzis feels that the legislation “is certainly another positive step towards achieving a more secure corporate world and raising both the awareness and trust of end customers.” Along those same lines, digital security writer Kim Crawley feels that the threat of a penalty could compel more C-suite executives to enforce good security policy and invest in robust digital security controls.

One Security Control in Particular…

Crawley specifically extols the importance of organizations investing in encryption:


“Encryption is obviously crucial when it comes to protecting data from cyberattacks. If better cryptographic implementation can be a means of determining that someone within an organization other than an executive is responsible for a data breach or cyberattack, that's good. If executives are motivated to improve their organization's cryptography because they'd be less likely to be blamed for problems, that's fine by me, too.”


Hywel Curtis, experienced communications consultant and content strategist, notes that using encryption can help ensure that “some of the data will still be protected and customers will be kept safe.” But not everyone feels that encryption can do enough to protect organizations in the face of a data breach. Among them is Bob Covello, A.V.P. and IT Security Director at the Navigators Group, Inc.


“Encryption will not solve anything in the case of a data breach facilitated through a phishing attack,” notes Covello. “If account credentials are harvested, then encryption is a moot point. Without other controls, such as multi-factor authentication, a person with a valid password is a trusted insider, with access to the decryption keys of the data of whomever is being impersonated.”

Ian Thornton-Trump, security head at AMTrust Europe, takes an even more critical stance against encryption in the context of the Corporate Executive Accountability Act. He feels encryption would not help organizations save their executives the blame for a successful data breach. He also believes that Sen. Warren’s proposal would die in Congress or in the courts unless the U.S. government finally agreed to enact a federal privacy law.

A Way Forward

It’s unclear whether the Corporate Executive Accountability Act will ever see the light of day as law. But perhaps it doesn’t need to. From the entry-level analyst to the CISO, corporate information security departments can and should take the lead in calling for greater executive involvement and investment in data breach prevention. Part of this effort should consist of implementing basic security controls like encryption and defending all machine identities against misuse. Learn how Venafi can help in that regard.




Related posts


Like this blog? We think you will love this.
Featured Blog

Surge in Machine and Human Identities Drive Security Policies at Organizations [Report]

‘Explosion’ of machine identities

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more