How to Sign In
Cengage Technology & Computing Blog
Showing results for 
Search instead for 
Did you mean: 
The Buck Stops--Where?
1 Comment

[Reading Time - 3 minutes 2 seconds]


Suppose that the sound system in your car stopped working, and the repair shop discovered that the person at the factory who installed it made an error that resulted in the problem. Should the CEO of that car company be fined? Or suppose that you studied for weeks in preparation to take a very hard exam, and somehow your instructor lost your exam (don't laugh, it happened to me in school). Should the President of the college be reprimanded for this instructor's sloppy behavior?


When something bad happens, who should be liable and even punished?


Increasingly, there are calls for the blame of information technology (IT) issues to be laid at the feet of the person at the very top, and this includes security. But is it realistic?


One of the U.S. presidential candidates this week (Apr 3 2019) announced the "Corporate Executive Accountability Act." This act would:


  • make liable corporate executives who "negligently permit or fail to prevent" a "violation of the law" that;
  • "affects the health, safety, finances or personal data" of 1 percent of the population of any state.

A CEO could get up to one year in prison for a first offense, and three years in prison for repeat offenses.


While the devil is in the details (the penalty only applies to companies that generate more than $1 billion in annual revenue, it only applies to companies that are either convicted of violating the law or settle claims with state or federal regulators, etc.) how would this have impacted the recent number data breaches? If this law had been in place, would we be seeing a large number of CEOs in prison?


Probably not. A data breach had to be the result of illegal activity by the company. And the CEO had to be negligent in failing to prevent it.


And some highly-publicized data breaches are not even the fault of the big company. Consider that the most recent data breach involving Facebook data wasn't even Facebook's fault. On Wednesday (Apr 3 2019) over 540 million records about Facebook users were publicly exposed on Amazon's cloud computing service. Was this another failure by Facebook? No. Two third-party Facebook app developers posted the records. Should the developers go to jail instead?


Sharing of Abhorrent Violent Material


But this hasn't stopped more of these laws from being passed that go after those at the top. Yesterday (Apr 6 2019) the Australian parliament passed legislation to crack down on violent videos on social media. This was prompted by the recent Christchurch terrorist attack, when video of the alleged perpetrator’s violent attack spread on social media faster than it could be removed. Called the "Sharing of Abhorrent Violent Material" bill, it creates new offenses for content service providers and hosting services that fail to notify the Australian federal police about or fail to "expeditiously" remove videos depicting "abhorrent violent conduct”.


Although the supporters of this bill say that it would not allow for the prosecution of social media executives, others say it could make anyone in these companies liable--all the way to the top executive--for not removing the material quickly enough. And besides, if the executives are not liable, who in the company is liable?


So, will we see the day when laws are passed that any data breach would result in jail-time for the CEO? Although at one time that sounded preposterous, in today's climate it's not that far-fetched to think that lawmakers may see these tough laws as the only way to get the CEO's attention to put an end to data breaches.


But that still raises many questions:


  1. How does a CEO's company defend against a data breach that was the result of a zero-day attack that was a vulnerability nobody even knew existed?
  2. Is someone liable for this?
  3. Since three out of every four attacks begin by a user making a bad decision, such as falling for a social engineering attack or opening an infected email attachment, should users also be threatened with jail-time unless they are more secure?


This is probably an area in which legislation does not seem to be the answer. If we're really concerned about security, the threat of going to jail will not force a CEO to demand stronger security from her company.


After all, the threat of jail-time has not stopped the attackers.

1 Comment

Love that final question: should the average user be the one at fault? That person was the one who actually opened the infected email and started the whole attack after all..... I'll quote a former president who summed this up well in 3 words (in a quote that will instantly date me): "Not gonna happen".