[Dataloss] CEOs deserve jail for data breaches

[Allan Friedman]

The only reason to advocate this sort of measure is if we have
concrete proof that the personal-punishment type laws are more
effective than the other alternatives that have been discussed on this
list, including *effective* liability models or a shared culture of
openness and communication to prevent future breaches.

Personal criminal charges seem to be the worse of both worlds: strong
incentives not to share any information, and no real attempt to help
those hurt by breaches.

Has anyone seen any good research about the personal-responsibility
rules in SOX?