Should executives go to jail for data breaches?
That’s exactly what Senator Elizabeth Warren (D-MA) is proposing. In a new op-ed in The Washington Post, she suggests criminal penalties for leaders whose companies let data slip into the open:
“My proposal would impose similar criminal liability for negligent executives of any company with more than $1 billion in annual revenue in a variety of circumstances, including if that company is found guilty of a crime or is found liable for a civil violation affecting the health, safety, finances or personal data of 1 percent of the U.S. population or 1 percent of the population of any state.”
In other words, if Facebook accidentally exposed the personal data of 500 million Americans, Mark Zuckerberg and Sheryl Sandberg could end up in jail. Ha ha, kidding! Even if Warren somehow helped pass a law that imposes criminal or civil liability on executives for data breaches, there’s no way any company would allow the Feds to cart off their executives in handcuffs without a fight. In that hypothetical Facebook scenario, there’s virtually zero chance that Zuckerberg and Sandberg would end up behind bars; they would either plead down to a fine, or wear down the Feds with a years-long court battle.
As any security professional will tell you, virtually all systems have vulnerabilities of some sort; sooner or later, an attacker will slip through. When that happens, and the attacker absconds with user data, what factors determine whether the company is “negligent”? It’s very easy for a Senator (and Presidential hopeful) to feed some red meat to the campaign crowds by shouting that executives should go to jail; but it’s often difficult to prove that a company neglected to sufficiently secure data.
And let’s say, just for the sake of argument, that a contractor or tech pro accidentally left a file of unencrypted passwords and usernames in a Google doc or other, publicly accessible file. That’s a clear case of negligence—but should an executive go to jail for it? Most CEOs and other c-suite executives don’t keep track of what’s happening in their company’s IT infrastructure.
If a bill like this is turned into law, it could have the beneficial side effect of encouraging companies to spend more on security, and to pay better attention to how they handle data. But for a public increasingly concerned about its data, something like a U.S. version of the GDPR might better serve the public than threatening to jail executives of companies that suffer catastrophic breaches.