Re: CEOs deserve jail for data breaches

[James Childers <james () iqbio net>]

I think we need to remember that there is a difference between "best  
practices & stewardship of data" and "strict compliance".

There are a few companies that will do everything they can to take  
care of the customers data by employing best practices and creating a  
sense of responsibility within the organization and then there are the  
majority who are only looking at the bottom line and what it takes to  
be "compliant" with the law - looking to nothing else as if it were a  
check-box on a form.

I think that if there were criminal penalties for neglect or corporate  
malfeasance in the keeping of sensitive data that CEO's, CTO's and  
others would consider a shift in their thinking.

James Childers
President & CEO ASG Global
Artemis Solutions Group of Companies
http://www.artemis-usa.com
primary email: james () iqbio net

Philosophy -

1. If you aren't making mistakes, you are not living.  If you keep  
making the same mistake, you are not learning.
2. Concentrate your efforts on the thing that is most important to you  
at this moment.  The rest will take care of itself.
3. Nosce te Ipsum




On Apr 9, 2008, at 7:30 AM, Eric Nelson wrote:

> There are a number of federal laws that do provide civil penalties and
> responsibility for company executives that do not follow a company's  
> privacy
> and security policies.
>
> Gramm-Leach-Bliley is one example of requiring a company to implement
> security controls and ongoing compliance assurance.  Civil penalties  
> can be
> levied against both companies and individuals and executives can face
> possible jail time.
>
> In addition, CEO's and other executives already face the significant
> penalties for non-compliance under Sarbanes Oxley.  These penalties  
> are
> directly related to ensuring that controls and processes are in place.
>
> On a side note, yes, prisons are overcrowded, but perhaps spending a  
> few
> nights with "Bubba" might be a good deterrent...,
>
> Eric Nelson
> Secure Privacy Solutions
>
> -----Original Message-----
> From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org 
> ]
> On Behalf Of Casey, Troy # Atlanta
> Sent: Wednesday, April 09, 2008 7:09 AM
> To: dataloss () attrition org
> Subject: Re: [Dataloss] CEOs deserve jail for data breaches
>
> Off the cuff, this seems like a good idea on the surface.  The problem
> is that the personal criminal liability will motivate companies to  
> hide
> the facts and not disclose data breaches.
>
> My personal thought on this is that fines and penalties don't seem to
> have much of an effect, but that personal legal liability will make  
> CEOs
> sit up and take notice...there neeeds to be some rationale for the
> mega-buck paychecks these guys are raking in, and a high level of
> personal legal risk seems to me a better rationale for today's CEO
> salaries than some canard like "market performance".  If this were
> enacted, the "skin in the game" on the part of the CEOs might make  
> their
> huge salaries seem less unfair.  It's plain to me that until there is
> some downside risk to "accepting the risk" of an insecure system,
> companies will continue to give IT Security short shrift, and I think
> this is a sensible approach.
>
> Several have objected based on some notion that the CEO is "not
> responsible" for the weak controls, but I disagree.  Anyone with
> military experience will tell you that one can delegate authority, but
> that one cannot delegate responsibility.  The CEO is ultimately
> responsible for everything the company does.  If the CEO were to
> suddenly start taking security seriously, (s)he would communicate that
> to the senior staff, and the new culture would trickle down to the IT
> Directors and others that have more direct oversight of IT  
> security.  If
> the CEO's attitude was 'let's have the best security we can afford',  
> and
> monies made available in a security 'slush fund' to deal with  
> unexpected
> security issues, the IT Directors would no longer have to say "no"  
> when
> asked for the next security technology.  Yes, it all ultimately comes
> back to the CEO and the Board of Directors - their attitude about
> security becomes the Company's attitude about security.
>
> Cheers,
> Troy
>
> Troy D. Casey
>
> -----Original Message-----
> From: dataloss-bounces () attrition org
> [mailto:dataloss-bounces () attrition org] On Behalf Of security  
> curmudgeon
> Sent: Wednesday, April 09, 2008 4:33 AM
> To: dataloss () attrition org
> Subject: [Dataloss] CEOs deserve jail for data breaches
>
>
>
> ---------- Forwarded message ----------
> From: InfoSec News <alerts () infosecnews org>
>
> http://www.techworld.com/security/news/index.cfm?newsID=11924
>
> By John E. Dunn
> Techworld
> 08 April 2008
>
> A growing number of security pros believe that the way to stop data
> breaches from happening is simple as it is stark - send the CEOs or
> board members deemed responsible to jail.
>
> The opinion emerged from a survey by security mainstay Websense at the
> recent UK e-Crime Congress, which polled 107 security professionals on
> their opinions. Seventy-nine percent believed that companies should be
> fined for data breaches . something that does already happen in some
> cases in the UK . while 59 percent were in favour of compensation for
> consumers affected by a breach.
>
> The most striking view of all was that the time had come to punish
> serious data breaches with jail time for senior staff, with 25 percent
> rating that as a necessary step. Only three percent were against any
> form of legally-enforceable punishment.
>
> [..]
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor
> your traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and  
> monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and  
> monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml