Jail Time for Executives Who Fail To Report A Breach?

Since Equifax leaked credit and identity information on ALL of us last year, I have been in a foul mood about the clueless and technically inept C-level corporate executives who are responsible for these breaches.  Throw the bums in jail!

Well, a law working its way through Congress may do just that.  For the first time executives may be facing not just ritual termination, and shaming in the press, but actual hard time.  Up to five years.  Senator Bill Nelson has been trying to get some traction under his bill,  S.177 – Data Security and Breach Notification Act of 2015.  Evidently for a while now.

The reason I support this legislation is that I have been in too many meetings with C-level executives where real security gets short shrift and no funding.  Certainly, the cyber-criminals and other malicious actors are legally responsible for the breaches.  But in many case the executives of the targeted company made decisions that ultimately made it possible for the breach to occur.  On discovery, often they are more interested in covering up the breach than responsibly reporting the issue to their affected customers.

The Department of Homeland Security (DHS) would create a new federal entity where data breaches would be reported if they involved:

  • the personal information of more than 10,000 individuals,
  • a database containing the personal information of more than 1 million individuals,
  • federal government databases, or
  • the personal information of federal employees or contractors known to be involved in national security or law enforcement.

This new organization would repot this information to other law enforcement agencies as deemed appropriate, including:

  • US Secret Service
  • FBI
  • Federal Trade Commission (FTC)
  • US Postal Inspection Service, if mail fraud is involved
  • Attorneys general of affected states
  • Appropriate federal agencies for law enforcement, national security, or data security purposes

Usually these guys only pay attention to issues that are likely to improve stock price, or positively affect their quarterly bonus or compensation.  Cybersecurity is only seen as an expense.  If there is an actual danger of incarceration, perhaps corporate officers may finally take this issue seriously.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.