Lock Them Up! The Coming Congressional Crackdown on Executives That Mishandle Hacks
Last month, Massachusetts Senator Elizabeth Warren wrote a notable op-ed in the Washington Post about corporate malfeasance. Warren began by singling out Wells Fargo for a series of scams, including opening phony bank accounts, overcharging customers for car loans and mortgages, and illegally repossessing military service members’ vehicles. “If you can dream up a financial scam,” Warren said, “there’s a good chance that Wells Fargo ran it on its customers in recent years.”
Warren’s fiery rhetoric was not surprising, coming from the outspoken consumer advocate. What was somewhat shocking, however, were her proposed penalties: jail time for senior executives. Warren introduced a new bill, the Corporate Executive Accountability Act, under which executives who “negligently permit or fail to prevent” criminal acts — including data breaches — could be put in prison. “If top executives knew they would be hauled out in handcuffs for failing to reasonably oversee the companies they run,” Warren said, “they would have a real incentive to better monitor their operations and snuff out any wrongdoing before it got out of hand.”
From the C-Suite to the Slammer?
This is not the first time that Senator Warren has called for a crackdown on negligent executives. Warren famously grilled former Equifax CEO, Richard Smith, on Capitol Hill after the credit reporting company experienced a huge hack, exposing the personal information of more than 145 million Americans. Warren slammed Smith for the company’s sloppy cybersecurity practices and for profiting from data breaches. “Equifax did a terrible job of protecting our data, because they didn’t have a reason to protect our data,” Warren said. “The incentives in this industry are completely out of whack.”
Warren is not alone in her quest to hold corporate executives personally accountable for data breaches. Several of her Senate colleagues have also argued that corporate executives should face criminal penalties for mishandling hacks. For example, in 2017, Senators Bill Nelson, Richard Blumenthal, and Tammy Baldwin introduced the Data Security and Breach Notification Act. The bill — a response to data breach cover-ups at Equifax and Uber — imposed jail time on executives that “intentionally and willfully” conceal a hack.
In 2018, following the Marriott mega-breach that exposed the personal information of 500 million customers, Oregon Senator Ron Wyden proposed far stiffer penalties for business executives who bungle breaches. Wyden, the Senate’s leading voice on data privacy issues, introduced the Consumer Data Protection Act, under which executives who mislead regulators could face personal fines of up to $5 million and up to 20 years in prison. “Clearly the current status quo isn’t working—the Federal Trade Commission needs real powers with strong teeth in order to punish companies that lose or misuse Americans’ private information,” said Wyden, adding: “Until companies like Marriott feel the threat of multi-billion dollar fines, and jail-time for their senior executives, these companies won’t take privacy seriously.” Other senators, including Massachussetes’ Ed Markey, also signaled they could support prison terms for cyber negligent executives.
Support among lawmakers for throwing executives in jail is certainly not universal. Policymakers are unlikely to snatch CEOs from their penthouses and put them in the penitentiary anytime soon. However, the legal and regulatory tides are clearly turning; senior executives are certain to face a growing wave of penalties for mismanaging hacks. The “slap on the wrist” for data breaches days are officially over. Executives who mishandle hacks are no longer only at risk of losing their jobs — they’re potentially at risk of losing their freedom.
Staying Out of the Headlines (and Out of Prison)
Looking to keep your company out of the headlines (and yourself out of prison)? Check out N2K’s Resolve program. Our executive-tailored Cyber Risk Seminars, offered both on-site and on-demand, can help you stay on the right side of regulators and lawmakers — and protect both yourself, and your business, from serious civil and criminal penalties.