Data loss CEOs should go to jail

Data loss CEOs should go to jail

Summary: Richard Thomas, head of the Information Commissioner's Office (ICO) in the UK, told Parliament that CEOs should be responsible for the protection of confidential data in their firm's possession, and should face criminal charges in the event of data loss.This recommendation comes in the wake of recent high-profile data breaches, in particular the loss of unencrypted information on 25 million UK citizens by UK Revenue & Customs (HMRC).


Data loss CEOs should go to jail

Richard Thomas, head of the Information Commissioner's Office (ICO) in the UK, told Parliament that CEOs should be responsible for the protection of confidential data in their firm's possession, and should face criminal charges in the event of data loss.

This recommendation comes in the wake of recent high-profile data breaches, in particular the loss of unencrypted information on 25 million UK citizens by UK Revenue & Customs (HMRC).

As described on their website, "the ICO is an independent public body and the Ministry of Justice is the ICO’s sponsoring department within Government."

IT Pro News reported:

According to a presentation by Information Commissioner Richard Thomas to the House of Commons' Justice Committee, chief executives would have to certify that companies had safeguards in place to protect personal data.

The Guardian added:

Failure to take care of people's personal information could be a punishable by law in future as Thomas argued that "knowingly or recklessly" putting someone at risk due to inadequate data protection should be made a criminal offence.

Data breaches in which personal information is lost have become commonplace, as shown by the news listed in the Forum of Incident Response and Security Teams.

Although government oversight would make those responsible for losses accountable, such measures are not a panacea. For example, stricter penalties may push data centers offshore, to countries with weaker laws. While no perfect solution exists, stricter regulations will send a clear signal to government and private sector employees: if you lose someone else's information due to negligence, you will pay the price.

Topics: Government US, CXO, Data Centers, Government, Hardware, Storage

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Keep them RESPONSIBLE even if ....

    Make ANYONE who requires personal data to be collected responsible
    for its safekeeping even if sent/stored offshore. This way the
    responsibility cannot be defused or passed on elsewhere.
  • Only if...

    ...a sole proprietor would go to jail for the same offense.
    John L. Ries
  • Data loss CEOs should go to jail..

    What ever happen to taking responsibility for ones own action. instead of passing the buck. And if any Corporate Officer should go to jail, it should be the CSO (Chief Security Officer)
    • What about the...

      And/or the CTO (Chief Technology Officer). More than anything, keeping business records secure is more and more a function of the CTO's job than the CEO. And seriously think about it: in this day and age, what CEO still maintains a grip on the day-to-day of every aspect of his company?

      Now, if the issue had been raised to the CEO, and he either was apathetic or antithetical, THEN cart his butt off to jail...
      GoodmanCPA-IT Tech
  • due diligence

    I agree, but only if "due diligence" has not been demonstrated. After all, in the US we don't arrest a bank manager if his bank is robbed.
  • RE: Data loss CEOs should go to jail

    Three weeks ago the UK Government lost two disks containing the personal data of 26 MILLION British citizens. Unprecedented and unimaginable incompetence!!!

    Not only were the disks were unencrypted but they were sent through the public mail service.

    The issue has fallen off the media horizon

    This is not politics! The buck stops with the British Prime Minister (the PM is Her Britannic Majesty???s ???CEO???) and it as sure as God made little apples that he won't go to jail. But when will the British Public be told what has happened to those disks and, just as importantly, whether or not the data they contain has been accessed?????
    • oops

      The idiot that allowed that data to be stored unencrypted and to be sent through regular mail needs to be permanently unemployed in the industry at the very least.
  • Dumb

    CEO's aren't data experts. You can't expect someone to know intimate details about every aspect of a corporation. It's just too much information, and nobody can have that much expertise. That's why people are hired for different positions.

    Are we going to jail the IT guys because the CFO massaged the data to hide criminal activities?

    As another poster opined, if it can be proven that the CEO knew of unsafe practices and ignored it, or if he condoned it or ordered it, then there should be some criminal culpability. Otherwise, each department has to take responsibility for its actions and quit trying to blame everyone else higher up the food chain for their <i>faux paus</i>.
    • The Buck Stops Where?

      If the CEO can PROVE that he/she took all appropriate steps to secure the enterprise's data, then they only have to pay damages and not go to jail. The CEO is responsible! If they are not, they should not get the big bucks. They don't have to be data experts - just experts at running their business - if it includes data, then they have to be data experts. The CEO can chose to hire a "real" expert to assist, but the buck stops at the CEO's desk! The abdication of the CEO's responsibilities only leads to the "pigs at a trough" mentality where CEOs and their compensation committees conspire to strip the maximum money from the corporation. The loss of money won't deter these people, the lose of freedom and money will.
  • Al

    Are you all saying that if I compromise my personal data in the workplace, the CEO should go to jail? Are you all saying that if an employee violates company policy, takes home his laptop and has it stolen or loses the data, or even gives away the data that the CEO should go to jail? If that's what you want, then you will end up screaming about big brother, because to protect himself, the CEO will have to monitor or have monitored every single activity in the work place - 24/7. Corporate productivity will decrease, competitiveness will decline, and people who did nothing wrong will lose their jobs. Then you will really have something to complain about. When a crime is committed there is an investigation, to determine who committed the crime. When the culprit is determined that is the person who should be tried, if necessary, and if convicted, fined and/or jailed. If you want to send the CEO to jail for an employee's error, then be prepared for the prevention measures.
    • You miss the point

      The point of this is that there are many, many, many cases where reasonable security and privacy controls would have prevented the data loss before it occurred, but that these sort sof reasonable, documentaable controls are seldom implemented because they COST MONEY. Ask almost anyone who works in any major corporation or government agency what the response is when IT staff ask for the money, time and authority to implement security controls, and they will tell you of cases where the sole determinant is whether it can be 'cost justified'. Since the reality has been that no one could quantify in advance the risk of data loss, and since wishful thinking is the most common upper management response when presented with the possibility of a data loss, the sad fact is that the vast majority of these data losses are not even slightly surprising to the IT staff who have been there. So, in order to motivate the upper management to do what common sense tells their subordinates is necessary, you have to use a stick. You say the CEO will have to monitor or have monitored every single activity in the workplace? That is part of their job! That's what they get paid for. What you are really saying is, the CEO might have to take responsibility for something other than figuring out when to exercise their stock options. If they are not responsible for what the organization does, then who is? And if they are not held responsible for ignoring clear warnings, then who should be? You say the culprit will be determined? Who is the culprit when simple hard drive encryption could prevent data being lifted from a stolen laptop, but a cost accountant cancelled purchasing a license for a laptop for encryption software after a VP decided his budget didn't have room to purchase it for the laptop he bought so his employee could work on the road? Who is responsible when the network group requests a VPN gateway, but the quarterly sales are down a bit so there is a budget freeze on new hardware? Who should take the fall when the company decides to change vendors from a domestic company covered by US privacy laws to an offshore vendor not covered, and the unencrypted data tapes, or CDs, or even unencrypted emails are used to send confidential data to the new vendor, and somehow get lost along the way?
  • Mail Service

    Does your credit card statement come to you in the mail?
  • RE: Data loss CEOs should go to jail

    I don't think prison is a real solution to this particular problem. Putting a CEO in jail for a data breach that they might honestly not have seen coming isn't going to stop irresponsible data-management practices by lower management. Instead, it should involve MASSIVE fines. By massive, I mean millions, and possibly billions of dollars. They should be imposed based on the size of the breach. Let's say "hypothetically" the fines are set at $10k per individual "unit" of data loss. So if TJ Maxx loses a million social security numbers because their employee posts it accidently on MySpace, they should be liable for something like $10,000,000,000. The money should then be issued to the "victim", not the Government. Just the possibility that shareholders/owners of company could be liable for several years worth of profit for even a small breach, it ought to set into motion a frenzy of Corporate soul-seeking because realistically, Corporations will only implement dramatic changes when threatened with their very existence. I don't mean that the fines should be $10k per person, but even $100 or $1000 per "unit" would act as a blunt deterrent to this trend of moronic data loss that does not seem to be ending.
  • Send them to jail? Will they pull the plug?

    As a previous poster noted, due diligence must be shown. But how many CEO's, CTO's, or CIO's will simply pull the plug. If loosing online data will get you put in jail, they will take the data offline rather than risk going to jail. Due diligence or not, an over-zealous prosecutor is too much to risk. The consequences of that are too staggering to imagine.
  • CEO's In Jail?


    So the CEO of a company with 200,000 employees and 100 operating subs should go to jail because some HR idiot in a division 15 levels away screwed up.

    Stop ranting and get real.

    The CEO is responsible for making sure proper policies and procedures are in place. The buck (and jail time) stops there.
  • IMHO

    Nobody has mentioned the REAL people responsible for the loss of the disks................the courier service.
    They either have very dishonest or very careless people working for them.....they should also be held responsible.
  • Don't stifle innovation; reward security

    Executives should be held accountable for negligence, of course, but severe personal penalties for any error will stifle innovation which results in crummy products and ridiculous costs. Think of healthcare and the fear of liability. Then think about the history of aviation and the success it is today.

    Instead, firms should be encouraged to invest in great security as a marketplace differentiator. Clear and enforceable standards are a first step, but security is another element of functionality and the market has its own generous incentives.
    • Clarification

      I'm NOT suggesting that commercial airlines are a success. Most of them are lousy. I'm just saying that because of a culture of innovation, planes these days can fly great distance and don't crash that often.

      Don't blame Boeing for the misery that is BA will not help anyone.
  • RE: Data loss CEOs should go to jail

    Can You Make Them Take Data Breach Seriously?

    It really boils down to the fact that personal data has value only to the person whose information was breached or to company whose product is personal data. Most companies spend a lot of money protecting against theft of their product.
    The valuation of personal data breach is so low --- the cost of paying for 1 or 2 years of free credit reports for each victim-- a pittance. Whereas the poor victim has to worry for years as to whether their identity has been stolen and their personal history coopted. Or worse, has deal with deal with cleaning up their records? And we're not even talking about someone has committed a felony (or an act of terrorism) using a stolen identify.

    It's not clear putting the CEO, CTO, CIO, or CSO in jail is the right deterent, but it sure is an attention getter.
  • I agree

    People who carelessly loose such valuable and confidential information should be permanently fired and jailed. Not only are they a risk to the company they work for but they are a risk for all the people whose information they have carelessly tossed into public access.

    - John Musbach
    John Musbach