Who in your organization governs information Security?
The employees in your organization who oversee Cyber security or any type of organizational wide security needs to be C-Level Suite or above, CEO, Owner, and or Board of Directors. Cyber crime is a strategic threat to any organization in the world. This threat is so menacing, the duty of senior executives has to deal with the issue, rather than leaving it to the responsibility to an IT professional or technical personnel. In August of 2015 a U.S. appellate court ruled that the Federal Trade Commission has the authority to sue Wyndham Hotels for allowing hackers to steal more than 600,000 customers’ data from its computer systems in 2008 and 2009.
Part of the court ruling reads: “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business,”
Chris Hoofngale professor at the University of California, Berkeley who teaches information privacy law, computer crime law, regulation of online privacy, and internet law says this about the ruling “The law has always imposed responsibility on companies for the care of their customers. When you’re in the restaurant you have to be protected against slips and falls or food-borne illness,” says Hoofnagle. “Data is just something new that companies have to protect if they want to bear the benefits of collecting it.”
The courts are now involved. You collect and store data, you are responsible for keeping it safe, Period. Top level management has to be actively involved.