Certes warns UK executives face liability as data breach risks rise

Certes has issued a warning that company boards and senior executives may be personally liable for data breaches as legal and regulatory scrutiny intensifies.

According to the cybersecurity firm, increasing legal precedents and regulatory actions are transferring responsibility for safeguarding data from IT departments to the executive level, exposing chief executives and board members to the risk of personal criminal liability in the event of data loss or theft.

Simon Pamplin, Chief Technology Officer at Certes, commented on this shift, stating, "A quiet but dramatic shift has taken place in the world of cybersecurity: data breaches are no longer just an IT failure, they're becoming a criminal offence."

Certes contends that as data extends well beyond the traditional perimeter of corporate IT infrastructure, reliance on perimeter security such as firewalls is no longer sufficient. The company warns that continued investment in these legacy approaches may leave sensitive company data exposed, particularly as advances in quantum computing threaten to undermine established encryption algorithms.

Pamplin highlighted the limitations of traditional security approaches, saying, "The days when perimeter security could keep your data safe are over; it has already left the building."

He added that courts are now holding CEOs directly responsible for the outcomes of cybersecurity breaches, citing a case in Finland where a CEO faced a suspended jail sentence and loss of business for assuming that cybersecurity measures were being handled by others in the organisation. This case demonstrates how the failure to adequately address data protection at the highest levels of an organisation can have significant personal and professional consequences for business leaders.

"This is no longer about box-ticking or ICO audits. It's about criminal liability and business survival," adds Simon. "The only defensible position now is to assume the breach will happen, and ensure your data is worthless to anyone who steals it."

Certes is promoting a Data Protection Risk Mitigation (DPRM) approach, which involves separating the management of encryption keys from the transmission of data. In this model, the data owner retains exclusive control of encryption keys, thereby ensuring that in the event of a breach, attackers are unable to make use of the stolen information.

The evolution towards quantum computing adds urgency to adopting new security measures. Pamplin flagged the imminent risk, noting that algorithms trusted for encryption today may be rendered ineffective by quantum computers.

"Legacy encryption is about to become useless. Many companies don't realise the algorithms they trust today will be broken tomorrow," said Simon. "We've been quantum-safe for years using NIST-approved post-quantum cryptography. But most businesses still don't have a plan."

Certes emphasises the need for organisations to focus on protecting data at its source rather than relying on external defences, as the sophistication and capabilities of potential attackers continue to advance.

The company concludes that as legal and technological risks escalate, boards and executives need to prioritise effective risk mitigation strategies and ensure direct involvement in decisions regarding the protection of their organisation's data.