Jail Time for Executives Who Fail To Report A Breach?

Since Equifax leaked credit and identity information on ALL of us last year, I have been in a foul mood about the clueless and technically inept C-level corporate executives who are responsible for these breaches.  Throw the bums in jail!

Well, a law working its way through Congress may do just that.  For the first time executives may be facing not just ritual termination, and shaming in the press, but actual hard time.  Up to five years.  Senator Bill Nelson has been trying to get some traction under his bill,  S.177 – Data Security and Breach Notification Act of 2015.  Evidently for a while now.

The reason I support this legislation is that I have been in too many meetings with C-level executives where real security gets short shrift and no funding.  Certainly, the cyber-criminals and other malicious actors are legally responsible for the breaches.  But in many case the executives of the targeted company made decisions that ultimately made it possible for the breach to occur.  On discovery, often they are more interested in covering up the breach than responsibly reporting the issue to their affected customers.

The Department of Homeland Security (DHS) would create a new federal entity where data breaches would be reported if they involved:

  • the personal information of more than 10,000 individuals,
  • a database containing the personal information of more than 1 million individuals,
  • federal government databases, or
  • the personal information of federal employees or contractors known to be involved in national security or law enforcement.

This new organization would repot this information to other law enforcement agencies as deemed appropriate, including:

  • US Secret Service
  • FBI
  • Federal Trade Commission (FTC)
  • US Postal Inspection Service, if mail fraud is involved
  • Attorneys general of affected states
  • Appropriate federal agencies for law enforcement, national security, or data security purposes

Usually these guys only pay attention to issues that are likely to improve stock price, or positively affect their quarterly bonus or compensation.  Cybersecurity is only seen as an expense.  If there is an actual danger of incarceration, perhaps corporate officers may finally take this issue seriously.

More information:

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.