BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CEOs deserve jail for data breaches

From: "Eric Nelson" <enelson () secureprivacysolutions com>
Date: Wed, 9 Apr 2008 07:30:10 -0700
There are a number of federal laws that do provide civil penalties and
responsibility for company executives that do not follow a company's privacy
and security policies.

Gramm-Leach-Bliley is one example of requiring a company to implement
security controls and ongoing compliance assurance.  Civil penalties can be
levied against both companies and individuals and executives can face
possible jail time.

In addition, CEO's and other executives already face the significant
penalties for non-compliance under Sarbanes Oxley.  These penalties are
directly related to ensuring that controls and processes are in place.

On a side note, yes, prisons are overcrowded, but perhaps spending a few
nights with "Bubba" might be a good deterrent..., 

Eric Nelson
Secure Privacy Solutions

-----Original Message-----
From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org]
On Behalf Of Casey, Troy # Atlanta
Sent: Wednesday, April 09, 2008 7:09 AM
To: dataloss () attrition org
Subject: Re: [Dataloss] CEOs deserve jail for data breaches

Off the cuff, this seems like a good idea on the surface.  The problem
is that the personal criminal liability will motivate companies to hide
the facts and not disclose data breaches.

My personal thought on this is that fines and penalties don't seem to
have much of an effect, but that personal legal liability will make CEOs
sit up and take notice...there neeeds to be some rationale for the
mega-buck paychecks these guys are raking in, and a high level of
personal legal risk seems to me a better rationale for today's CEO
salaries than some canard like "market performance".  If this were
enacted, the "skin in the game" on the part of the CEOs might make their
huge salaries seem less unfair.  It's plain to me that until there is
some downside risk to "accepting the risk" of an insecure system,
companies will continue to give IT Security short shrift, and I think
this is a sensible approach.

Several have objected based on some notion that the CEO is "not
responsible" for the weak controls, but I disagree.  Anyone with
military experience will tell you that one can delegate authority, but
that one cannot delegate responsibility.  The CEO is ultimately
responsible for everything the company does.  If the CEO were to
suddenly start taking security seriously, (s)he would communicate that
to the senior staff, and the new culture would trickle down to the IT
Directors and others that have more direct oversight of IT security.  If
the CEO's attitude was 'let's have the best security we can afford', and
monies made available in a security 'slush fund' to deal with unexpected
security issues, the IT Directors would no longer have to say "no" when
asked for the next security technology.  Yes, it all ultimately comes
back to the CEO and the Board of Directors - their attitude about
security becomes the Company's attitude about security.

Cheers,
Troy

Troy D. Casey

-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of security curmudgeon
Sent: Wednesday, April 09, 2008 4:33 AM
To: dataloss () attrition org
Subject: [Dataloss] CEOs deserve jail for data breaches



---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.techworld.com/security/news/index.cfm?newsID=11924

By John E. Dunn
Techworld
08 April 2008

A growing number of security pros believe that the way to stop data
breaches from happening is simple as it is stark - send the CEOs or
board members deemed responsible to jail.

The opinion emerged from a survey by security mainstay Websense at the
recent UK e-Crime Congress, which polled 107 security professionals on
their opinions. Seventy-nine percent believed that companies should be
fined for data breaches . something that does already happen in some
cases in the UK . while 59 percent were in favour of compensation for
consumers affected by a breach.

The most striking view of all was that the time had come to punish
serious data breaches with jail time for senior staff, with 25 percent
rating that as a necessary step. Only three percent were against any
form of legally-enforceable punishment.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
Previous By Date Next
Previous By Thread Next

Current thread: