Data Breach Responsibility & Consequences: Should Execs & Employees Be in the Hot Seat?
5 votes, average: 5.00 out of 55 votes, average: 5.00 out of 55 votes, average: 5.00 out of 55 votes, average: 5.00 out of 55 votes, average: 5.00 out of 5 (5 votes, average: 5.00 out of 5, rated)

Data Breach Responsibility & Consequences: Should Execs & Employees Be in the Hot Seat?

Holding executives and employees personally responsible is seemingly gaining traction within IT and cybersecurity communities and global political arenas. Let’s explore a few examples and see what this might mean for the future of cybersecurity.

Back in 2009, data from a survey by Websense (now ForcePoint) showed that 30% of 104 security professionals surveyed thought company leaders should be held accountable for security-related shortcomings. The respondents indicated that “CEOs and board members should face imprisonment for exposing consumers’ confidential data.” At the time, that was quite a hot take on data breach responsibility and consequences, or was it?

Since then, support for this idea only seems to continue to grow. Over the past few years, we’ve now started to see real criminal charges and convictions being handed out in response to data breaches. We’re not talking about charges against the cybercriminals who are committing these attacks. No, we’re referring to lawsuits and even criminal charges against the targeted organizations’ executives and other employees for blatant negligence or reckless behavior.

In 2020, Gartner predicted that three in four CEOs will be held ‘personally liable’ for cyber attacks and security incidents regarding cyber-physical security systems (CPSs) by 2024. Gartner’s analysts predict that dangerous or even fatal incidents involving these systems will increase due to small cybersecurity budgets and low prioritization of securing these systems.

This article explores several examples of CEOs, executives, and other employees facing charges or receiving convictions due to cyber security incidents and data breaches.

Let’s hash it out.

Company Executives Face Increasing Responsibility & Consequences

It’s not uncommon for company C-suite members to leave their roles after a data breach or other serious cyber security incident (either by choice or by force). We saw this happen after the 2013 Target data breach and Sony’s 2014 data breach.

But in some cases, simply fining, firing their executives, or having them step down isn’t enough; companies or government prosecutors may decide to take things a step further based on the seriousness of the issue. This happened to the CEO of a psychotherapy clinic in Finland.

Ex-CEO of a Finnish Psychotherapy Clinic Receives a Suspended Prison Sentence

Ville Tapio, the Ex-CEO of the now-bankrupt Psychotherapy Centre Vastaamo, received a three-month suspended sentence from the Helsinki District Court after losing a case. The lawsuit claimed Tapio was guilty of noncompliance with General Data Protection Regulation (GDPR) data encryption and pseudonymization requirements. Sophos reports that the prosecutors claimed that he not only knew that the company’s cybersecurity defenses were shoddy, but that Tapio failed to take action or report two separate breaches in 2018 and 2019.

According to Sophos, the cybercriminal who carried out the breach used the sensitive information to try to blackmail the clinic for nearly $500,000. When that failed, they threatened patients, saying they had to each pay €200 to avoid having their personal files shared publicly. If they didn’t pay up within 24 hours, the fee would more than double to €500.

The prosecution asked for a nine-month suspended sentence, but it was ultimately downgraded due to the defendant’s lack of criminal history. The suspended sentence basically means no jail time unless he’s found guilty of a similar crime again within a set period.

The fact that Tapio faced any criminal charges personally at all is a big change within the industry. But what he received equates to a slap on the wrist compared to the charges the next executive on our list faces (but I think we could all argue that this next guy is more deserving of strict punishment).    

Uber’s Former CSO Is Convicted of Federal Charges

An illustration of handcuffs that talks about the maximum sentence (8 years in prison) Uber's former CSO could have faced

Now, back across the pond to the U.S., in October 2022, Uber’s former chief security officer (CSO) Joseph Sullivan was declared guilty of federal charges related to a 2016 data breach involving the data of 57 million passengers and drivers. The U.S. Attorney’s Office for the Northern District of California says he was indicted in September 2020. He was ultimately convicted on charges of obstructing justice and intentionally concealing the data breach.

A Reuters report states that Sullivan went so far as to arrange a $100,000 payment in Bitcoin to the hackers in exchange for them signing non-disclosure agreements (NDAs) about the security incident, saying that they didn’t steal data. This is crazy!

The October 2022 Attorney’s Office report also indicated Sullivan faced up to eight years in prison — up to five years for obstruction and up to three years for misprision. However, the prosecutors ultimately asked for a 15-month prison sentence, and BBC reports that Sullivan was ultimately sentenced to:

  • undergo three years’ probation,
  • pay a $50,000 fine, and
  • perform 200 hours of community service.

But that isn’t the end of Uber’s woes; the U.S. Federal Trade Commission (FTC) also announced an enforcement action against one of its subsidiaries, Drizly.

Drizly and Its Former CEO Face Enforcement Action

In October 2022, the FTC filed a proposed enforcement action against the alcohol delivery service and its CEO, James Cory Rellas. The company failed to implement basic security measures, such as failing to secure critical databases or monitoring security threats, which ultimately led to a data breach exposing 2.5 million consumers’ personal data. The company and CEO were alerted to various security vulnerabilities up to two years before the 2020 breach but failed to take action. Pure negligence?

The proposed enforcement action aims to:

  • Limit what personal data Drizly can collect and require them to publicly state why the collection is necessary.
  • Force the company to destroy any unnecessary customer data (i.e., info that’s not required to provide services or products to customers).
  • Implement a comprehensive information security program and safeguards to prevent a similar situation from occurring in the future. This includes training, access controls, and other consumer data security measures.

In January 2023, the order with these requirements was finalized. As far as Rellas is concerned, he’ll have to implement a similar security program at any future organizations he works at “if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.”

Unlike Uber’s former CSO, Rellas faces no criminal charges. But this brings us to the important question…

Data Breach Consequences: Should Company Leaders and Employees Be Held Personally Responsible?

Some regulations, such as GDPR, require organizations to disclose any personal data breach that could result in “a risk to the rights and freedoms of natural persons” to the supervisory authority within 72 hours of becoming aware. However, there are still a lot of mixed feelings regarding holding people personally accountable.

Some argue that corporations should be able to take financial or legal actions against their former executives and employees, regardless of the circumstance. Others argue that anyone who falls for a scam, regardless of whether the incident occurred in a personal or professional context, should be treated as a victim. The latter group’s primary concern is that if employers regularly take action against employees who fall for phishing or other types of cyber scams, then those workers will be far more hesitant to report such events out of fear they’ll lose their jobs or will get slapped with lawsuits.

Is this a legitimate concern? Possibly, as there have been cases of employers taking legal or financial actions against former employees. But doing so sets a powerful precedence that will ultimately determine the outcomes of future cyber security- and data breach-related cases.

Some Employers Hold Employees Responsible After Cyber Incidents & Breaches

One such case occurred in Scotland a few years ago. Patricia Reilly, who worked for Peebles Media Group, was sued for £107,984 as repayment for what the company lost after she fell for a business email compromise (BEC) scam in 2015. The Glasgow-based media company ultimately lost the case; however, it set a worrisome precedence for employers opting to sue their former employees to recoup their losses stemming from these phishing-attack scenarios. (Is that good or bad? I guess the answer depends on which side of the table you’re seated at.)

But lower-level employees aren’t the only ones who face punishments. In 2016, the CEO of the aerospace manufacturer FACC was fired after an employee transferred €52.8m after falling for a CEO fraud email. The company’s supervisory board determined that Walter Stephan, who was impersonated in a CEO fraud email, somehow “severely violated his duties, in particular in relation to the ‘fake president incident’” but initially failed to specify how. The company’s chief financial officer was also fired in the months following the event.

But the bad news didn’t stop there for both executives. In 2018, the company took things a step further and filed suit against the former company leaders for $11 million. However, the case was later thrown out when the Austrian court determined that “there was no failure of Dr. Stephan to fulfil his supervisory duties.”

There’s a Growing Movement Toward Holding Leaders Personally Accountable

An illustration of a gavel that says there's proposed legislation that aims to hold executives accountable in extreme cases

It shouldn’t come as a surprise that companies and government entities are starting to take a hard line regarding cyber security attacks and data breaches. Virtually every day, we read about new cyber security events and data breaches. Target, Home Depot, Equifax, T-Mobile (and, consequently, Google Fi as a result), LastPass — these incidents have made waves within the industry, and yet officials have historically been slow to respond.

After seeing some of the jaw-dropping breaches that have occurred within the last decade, some political leaders have had enough; they’re now pushing for greater legal punishments for executives whose companies experience major data breaches.

  • In 2018, a proposed amendment to the Federal Trade Commission Act opened the doors to steep financial penalties and legal punishments, including up to 20-year criminal penalties for senior executives. 
  • The Corporate Executive Accountability Act, which was introduced in the U.S. Senate in April 2019, proposes jail time for corporate executives who “negligently permit or fail to prevent a violation of law” that “affects the health, safety, finances or personal data” of at least 1% of the population of any state or the country. The first offense would be fined, imprisoned for up to one year, or both; for a second or subsequent offense, the fine option would stand but the prison sentence could increase to up to three years.

If approved, the Corporate Executive Accountability Act could have an impact on leaders of organizations that experience the worst-of-the-worst kind of data breaches (think Equifax). But the proposed legislation isn’t quite as straightforward as it may seem at first glance. As with most legislative proposals, there are caveats. In this case, an organization simply falling prey to a data breach isn’t enough to constitute a breach of the law; there would have to be provable negligence in terms of prevention. As a result, most data breaches likely wouldn’t fall within this category, so they wouldn’t result in criminal penalties.

Let’s Wrap Things Up

Cyber security is an ever-changing landscape. Over the past several years, we’ve seen changes in terms of new legislation. The U.S. National Cybersecurity Strategy that recently came down from the White House pushes to shift responsibility for securing cyberspace to the “right” entities (whoever those may be). But, surely, new regulations and shifting attitudes will also apply to cyber security events and data breaches.

There are also ongoing arguments occurring globally about how data is secured and whether the blanket concerns of “public safety” and “national security” trump the right to privacy. Some governments are pushing to have encryption backdoors created in the name of national security.  But as with any digital backdoor, encryption backdoors only serve to increase the risks of bad guys getting their hands on sensitive data.

So, how will all of this play out if we’re holding company executives and employees personally accountable when crap hits the fan? The answer likely depends on what decisions are made in these state, national, and global arenas.

We’ll be interested in seeing where these ongoing cyber security discussions and the shifting tides of responsibility take us over the next several years. In the meantime, everyone should do their part to ensure the proper security of their company assets, employees, and customers. Whether you are implementing a best-in-class cybersecurity solution or the last to lock up after cleaning the floors, security matters. It’s your duty.  


Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.