Who has Liability for the hack of your customers data?

You, your credit card provider, the accounting company? The Doctrine of Downstream Liability is contributing by negligence to the reckless endangerment of others (Hallberg, Kabay, Robertson, & Hutt, 2014). For example, if a retail store chain is hacked because they have not implemented security patch updates then that retail chain’s network is used to launch an attack on the credit card company. The credit card company could hold the retail chain liable for contributory negligence because they put the credit card company at risk.

The impact to designing a cybersecurity policy is that an organization must include policies for host and network scanning of not just incoming traffic, but also outgoing traffic as well (Bace, and Sinchak, 2014). This will help ensure that the system is not causing harm downstream. Additionally, following all industry best practices of cybersecurity will enable an organization to prove that it has done everything reasonably possible to prevent further attacks from spreading, in other words Due Diligence of Care.

Due Diligence of Care is when an organization mitigates risks associated with research and analysis of vulnerabilities and threats in accordance with industry standards (Hallberg, Kabay, Robertson, & Hutt, 2014). This compares to the Doctrine of Downstream Liability in the way that an organization can prove that it has met due diligence in attempting to mitigate or prevent further attacks through the use of its own systems.

References:

Bace, R.G. and Sinchak, J. (2014). Vulnerability assessment.  In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (6th ed., pp. 46.1 - 46.13). New York, NY: John Wiley & Sons.

Hallberg, C., Kabay, M. E., Robertson, B., & Hutt, A. E. (2014). Management responsibilities and liabilities. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (6th ed., pp. 63.1 - 63.33). New York, NY: John Wiley & Sons.