Should Corporate Data Breaches Result in Jail Time?

Should executives go to jail for data breaches?

That’s exactly what Senator Elizabeth Warren (D-MA) is proposing. In a new op-ed in The Washington Post, she suggests criminal penalties for leaders whose companies let data slip into the open:

“My proposal would impose similar criminal liability for negligent executives of any company with more than $1 billion in annual revenue in a variety of circumstances, including if that company is found guilty of a crime or is found liable for a civil violation affecting the health, safety, finances or personal data of 1 percent of the U.S. population or 1 percent of the population of any state.”

In other words, if Facebook accidentally exposed the personal data of 500 million Americans, Mark Zuckerberg and Sheryl Sandberg could end up in jail. Ha ha, kidding! Even if Warren somehow helped pass a law that imposes criminal or civil liability on executives for data breaches, there’s no way any company would allow the Feds to cart off their executives in handcuffs without a fight. In that hypothetical Facebook scenario, there’s virtually zero chance that Zuckerberg and Sandberg would end up behind bars; they would either plead down to a fine, or wear down the Feds with a years-long court battle.

As any security professional will tell you, virtually all systems have vulnerabilities of some sort; sooner or later, an attacker will slip through. When that happens, and the attacker absconds with user data, what factors determine whether the company is “negligent”? It’s very easy for a Senator (and Presidential hopeful) to feed some red meat to the campaign crowds by shouting that executives should go to jail; but it’s often difficult to prove that a company neglected to sufficiently secure data.

And let’s say, just for the sake of argument, that a contractor or tech pro accidentally left a file of unencrypted passwords and usernames in a Google doc or other, publicly accessible file. That’s a clear case of negligence—but should an executive go to jail for it? Most CEOs and other c-suite executives don’t keep track of what’s happening in their company’s IT infrastructure.

If a bill like this is turned into law, it could have the beneficial side effect of encouraging companies to spend more on security, and to pay better attention to how they handle data. But for a public increasingly concerned about its data, something like a U.S. version of the GDPR might better serve the public than threatening to jail executives of companies that suffer catastrophic breaches.

2 Responses to “Should Corporate Data Breaches Result in Jail Time?”

  1. Nick:

    Why would something like a U.S. version of the GDPR better serve the public than threatening to jail executives of companies that suffer catastrophic breaches more than holding directors more personally responsible? In either case the lawyers would win and the directors and companies will lose.

    Aron

  2. Why do you think that the GDPR would promote better cybersecurity than legislation? Fear of incarceration – especially if provable by negligence should make any CEO and board member think twice about letting their charge “play in traffic”.