The US government has attempted to legislate penalties for data breaches, both federally and by state, in hopes of creating incentives for companies and government agencies to better protect personally identifiable information (PII). See all 50 states and their data breach regulations here. As a result, there was a small adjustment in security strategies within the private sector; however, these changes were clearly not enough in light of the massive data breaches we read about in the news each week.
Recently, employees of Citrix have assembled to sue their employer, who they allege was negligent and careless in protecting their personally identifiable information (PII), enabling a breach. What is interesting about this class action lawsuit is that there is no specific data breach law being used for this case. The affected Citrix employees claim that Citrix demonstrated negligence by not protecting against password-spraying attacks, which is a method used to gain access to accounts with commonly used passwords. Strategies for addressing these attacks have been published and recommended by DHS for some time – long before Citrix was breached. Employees claim that this demonstrates the company’s negligence.
This is big. We are starting to look at the failure to protect data as a traditional legal action as opposed to one requiring specialized legislation for data breaches. This also means that the community has understood the significance of protecting its data and is taking steps to ensure that it is safe; in this case, by suing organizations who do not protect it.
For information about how CASBs like Bitglass help secure data, download the Top CASB Use Cases below.