Jail Time for Executives Who Fail To Report A Breach?

Since Equifax leaked credit and identity information on ALL of us last year, I have been in a foul mood about the clueless and technically inept C-level corporate executives who are responsible for these breaches.  Throw the bums in jail!

Well, a law working its way through Congress may do just that.  For the first time executives may be facing not just ritual termination, and shaming in the press, but actual hard time.  Up to five years.  Senator Bill Nelson has been trying to get some traction under his bill,  S.177 – Data Security and Breach Notification Act of 2015.  Evidently for a while now.

The reason I support this legislation is that I have been in too many meetings with C-level executives where real security gets short shrift and no funding.  Certainly, the cyber-criminals and other malicious actors are legally responsible for the breaches.  But in many case the executives of the targeted company made decisions that ultimately made it possible for the breach to occur.  On discovery, often they are more interested in covering up the breach than responsibly reporting the issue to their affected customers.

The Department of Homeland Security (DHS) would create a new federal entity where data breaches would be reported if they involved:

  • the personal information of more than 10,000 individuals,
  • a database containing the personal information of more than 1 million individuals,
  • federal government databases, or
  • the personal information of federal employees or contractors known to be involved in national security or law enforcement.

This new organization would repot this information to other law enforcement agencies as deemed appropriate, including:

  • US Secret Service
  • FBI
  • Federal Trade Commission (FTC)
  • US Postal Inspection Service, if mail fraud is involved
  • Attorneys general of affected states
  • Appropriate federal agencies for law enforcement, national security, or data security purposes

Usually these guys only pay attention to issues that are likely to improve stock price, or positively affect their quarterly bonus or compensation.  Cybersecurity is only seen as an expense.  If there is an actual danger of incarceration, perhaps corporate officers may finally take this issue seriously.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.