SECURITY: What's the liability exposure of managers and the organization?
Can system owners be held personally liable when security is compromised? When an organization holds stewardship of data on external entities—customers, individuals, other organizations—and that data is compromised, to what extent is the victimized corporation liable to the secondary victims, those whose data was stolen?
Organizations generally have internal policies for dealing with security breaches, but not many yet have specific policies to address this area. Managers who do not secure the systems for which they're responsible, employees who cavalierly use information to which they should not have access, and system users who find shortcuts around established security procedures are dealt with in the same fashion as anyone who doesn't meet the fundamental job requirements, anything from transfer or demotion to termination. Should compromised or ineffective security be held to a higher standard? Answer question based on topic above.
1. Introduction paragraph (why I chose this scenario):
2. Decision or conclusion paragraph(s):
3. Consequences paragraph(s):