BreachExchange mailing list archives
Re: CEOs deserve jail for data breaches
From: "James Ritchie, CISA, QSA" <james_ritchie () sbcglobal net>
Date: Wed, 09 Apr 2008 10:12:46 -0400
Each company in the US has a Fiduciary responsibility to protect the data within perimeter. This has been established under several items: Model Business Corporation Act (ABA created and adopted by many states), Federal Rules on Civil Procedures, US Sentencing Guidelines, and others. These issues have defined governance and actions the accountability of senior management while protecting the data (see my article scmagazineus.com "Global Security Concerns <http://www.scmagazineus.com/Global-security-challenges/article/108580/>"). In many cases, management sets the tone-at-the-top, determines what is to be spent, and is held accountable to the stockholders ( or principals of the business). What I expect to see, is a very savvy attorney turn a breach into a civil suit, naming the Cxx of the company for failure to preform their due diligence and due care of protecting the data that was entrusted to them.
Jeff wrote:
Putting a CEO in jail for a data breach would be ridiculous unless the person were directly responsible for releasing the protected information. Jails are already over crowded and this would not solve the problem. Generally, it's hard to find people more clueless about IT than a CEO! Data breeches need to be more publicized, companies should be fined heavier based on the amount and severity of the data loss. There should also be monetary compensation to the victims built into the law. This would eliminate the need for court proceedings and add to the total fine and therefore risk to the organization. At this time, there isn't much action because the majority of people are not vocal about this issue and that makes political and corporate leaders feel that the issue is not important enough to spend time and money correcting. -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of security curmudgeon Sent: Wednesday, April 09, 2008 4:33 AM To: dataloss () attrition org Subject: [Dataloss] CEOs deserve jail for data breaches ---------- Forwarded message ---------- From: InfoSec News <alerts () infosecnews org> http://www.techworld.com/security/news/index.cfm?newsID=11924 By John E. Dunn Techworld 08 April 2008 A growing number of security pros believe that the way to stop data breaches from happening is simple as it is stark - send the CEOs or board members deemed responsible to jail. The opinion emerged from a survey by security mainstay Websense at the recent UK e-Crime Congress, which polled 107 security professionals on their opinions. Seventy-nine percent believed that companies should be fined for data breaches . something that does already happen in some cases in the UK . while 59 percent were in favour of compensation for consumers affected by a breach. The most striking view of all was that the time had come to punish serious data breaches with jail time for senior staff, with 25 percent rating that as a necessary step. Only three percent were against any form of legally-enforceable punishment. [..] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml No virus found in this incoming message.Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.10/1366 - Release Date: 4/8/20085:03 PMNo virus found in this outgoing message.Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.10/1366 - Release Date: 4/8/20085:03 PM_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
-- James Ritchie CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+Linkedin http://www.linkedin.com/pub/1/b89/433
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- CEOs deserve jail for data breaches security curmudgeon (Apr 09)
- Re: CEOs deserve jail for data breaches Jeff (Apr 09)
- Re: CEOs deserve jail for data breaches James Ritchie, CISA, QSA (Apr 09)
- Re: CEOs deserve jail for data breaches Allen (Jun 30)
- Re: CEOs deserve jail for data breaches Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches Ghercoias, Catalin (Apr 09)
- Re: CEOs deserve jail for data breaches Allan Friedman (Apr 09)
- Re: CEOs deserve jail for data breaches [LONG] Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches Ghercoias, Catalin (Apr 09)
- Re: CEOs deserve jail for data breaches Jeff (Apr 09)
- Re: CEOs deserve jail for data breaches Casey, Troy # Atlanta (Apr 09)
- Re: CEOs deserve jail for data breaches Eric Nelson (Apr 09)
- Re: CEOs deserve jail for data breaches James Childers (Apr 09)
- Re: CEOs deserve jail for data breaches Eric Nelson (Apr 09)
- Re: CEOs deserve jail for data breaches Mike Simon (Apr 09)
- Re: CEOs deserve jail for data breaches Adam Shostack (Apr 09)