This paper examines the question of corporate legal liability arising from external attacks on accounting information systems (AIS). It argues that organizations have a fundamental duty to protect the confidentiality, integrity, and availability of financial data, and that firms failing to implement adequate security controls — administrative, technical, and physical — should be held legally responsible for resulting losses. The paper discusses the role of access controls, encryption, employee monitoring, and system audits in minimizing vulnerability. It also acknowledges that organizations with sufficient security measures in place should bear reduced liability, since no system can be made entirely secure. The analysis draws on established information security frameworks to support its position.
The issue of whether firms should be held responsible for losses sustained from external attacks on their accounting information systems (AIS) has recently come into sharp focus. On one hand, if a firm has put in place sufficient security measures, it should not be held liable for losses incurred in an external attack on its AIS. On the other hand, if a firm is negligent and has failed to implement adequate security controls, it ought to be held liable for any losses incurred in the event of a successful security attack on its accounting information systems. There are quite a number of different types of attack that can enable access to AIS, and if a company does not put measures in place to protect itself against those attacks, then in the event of a successful attack the relevance and/or reliability of the financial information will be destroyed (Beard & Wen, 2007).
It is the author's position that in the event of a successful attack on a firm's financial systems, lawsuits should be filed against the company. It is the responsibility of every organization to ensure that its AIS are protected against any form of unauthorized external access. On those grounds, every organization should ensure the credibility of its accounting information systems at all times. This paper fully supports the argument that organizations should be held legally liable for any successful external attacks on their AIS.
In the majority of cases, organizations' information systems are designed so that integrity, availability to authorized users, and confidentiality are assured. Organizations should ensure that users' information is secured from unauthorized access, and they should always make certain that unauthorized disclosures of confidential information are prevented and countered by all means possible. Organizations should also put in place monitoring systems to regularly check their systems and prevent any kind of threats.
Firms should also strive to encrypt all of their accounting and financial information before storage, so as to make it difficult for any unauthorized user to determine the nature of the data held. Where appropriate, organizations should implement strict access control systems to restrict the number of people who have any form of access to their AIS (Layton, 2007).
It is an organization's duty to choose proper technical, administrative, and physical controls for its financial information. Administrative controls serve three main purposes: to screen employees, to disseminate security control policies, and to regularly conduct employee awareness programs. The administrative controls and the technical controls ought to be integrated in such a manner that unauthorized users and hackers have only minimal chances of accessing financial information. This should be achieved through the regular updating of systems.
Additionally, organizations ought to utilize proper physical and technical controls to protect data. Technical controls include the effective implementation and maintenance of access control procedures. Together, these three categories of control form the foundation of a defensible information security posture.
"Links negligent security failures to legal liability"
"Addresses insider threats and confidentiality duties"
Layton, T. (2007). Information security design, implementation, measurement and compliance. Auerbach Publications, Taylor & Francis Group.
Peltier, T. R. (2001). Information security risk analysis. CRC Press.
Schneier, B., & Miller, C. (2002). Successful attacks on accounting information systems. [Retrieved from online source.]
You’re 52% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.