<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I think we need to remember that there is a difference between "best practices & stewardship of data" and "strict compliance". <div><br></div><div>There are a few companies that will do everything they can to take care of the customers data by employing best practices and creating a sense of responsibility within the organization and then there are the majority who are only looking at the bottom line and what it takes to be "compliant" with the law - looking to nothing else as if it were a check-box on a form.<div><br></div><div>I think that if there were criminal penalties for neglect or corporate malfeasance in the keeping of sensitive data that CEO's, CTO's and others would consider a shift in their thinking. </div><div><br><div apple-content-edited="true"> <span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><span class="Apple-style-span" style="font-weight: bold; ">James Childers</span></div><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>President & CEO ASG Global</div><div>Artemis Solutions Group of Companies</div><div><a href="http://www.artemis-usa.com/">http://www.artemis-usa.com</a></div><div>primary email: <a href="mailto:james@iqbio.net">james@iqbio.net</a></div><div><br class="webkit-block-placeholder"></div><div>Philosophy - </div><div><br class="webkit-block-placeholder"></div><div>1. If you aren't making mistakes, you are not living. If you keep making the same mistake, you are not learning. </div><div>2. Concentrate your efforts on the thing that is most important to you at this moment. The rest will take care of itself.</div><div>3. <b>Nosce te Ipsum</b></div><div><b><br></b></div></div></div></div></div></div></div></div><div><br></div></div></span><br class="Apple-interchange-newline"> </div><br><div><html>On Apr 9, 2008, at 7:30 AM, Eric Nelson wrote:</html><br class="Apple-interchange-newline"><blockquote type="cite">There are a number of federal laws that do provide civil penalties and<br>responsibility for company executives that do not follow a company's privacy<br>and security policies.<br><br>Gramm-Leach-Bliley is one example of requiring a company to implement<br>security controls and ongoing compliance assurance. Civil penalties can be<br>levied against both companies and individuals and executives can face<br>possible jail time.<br><br>In addition, CEO's and other executives already face the significant<br>penalties for non-compliance under Sarbanes Oxley. These penalties are<br>directly related to ensuring that controls and processes are in place.<br><br>On a side note, yes, prisons are overcrowded, but perhaps spending a few<br>nights with "Bubba" might be a good deterrent..., <br><br>Eric Nelson<br>Secure Privacy Solutions<br><br>-----Original Message-----<br>From: dataloss-bounces@attrition.org [<a href="mailto:dataloss-bounces@attrition.org">mailto:dataloss-bounces@attrition.org</a>]<br>On Behalf Of Casey, Troy # Atlanta<br>Sent: Wednesday, April 09, 2008 7:09 AM<br>To: <a href="mailto:dataloss@attrition.org">dataloss@attrition.org</a><br>Subject: Re: [Dataloss] CEOs deserve jail for data breaches<br><br>Off the cuff, this seems like a good idea on the surface. The problem<br>is that the personal criminal liability will motivate companies to hide<br>the facts and not disclose data breaches.<br><br>My personal thought on this is that fines and penalties don't seem to<br>have much of an effect, but that personal legal liability will make CEOs<br>sit up and take notice...there neeeds to be some rationale for the<br>mega-buck paychecks these guys are raking in, and a high level of<br>personal legal risk seems to me a better rationale for today's CEO<br>salaries than some canard like "market performance". If this were<br>enacted, the "skin in the game" on the part of the CEOs might make their<br>huge salaries seem less unfair. It's plain to me that until there is<br>some downside risk to "accepting the risk" of an insecure system,<br>companies will continue to give IT Security short shrift, and I think<br>this is a sensible approach.<br><br>Several have objected based on some notion that the CEO is "not<br>responsible" for the weak controls, but I disagree. Anyone with<br>military experience will tell you that one can delegate authority, but<br>that one cannot delegate responsibility. The CEO is ultimately<br>responsible for everything the company does. If the CEO were to<br>suddenly start taking security seriously, (s)he would communicate that<br>to the senior staff, and the new culture would trickle down to the IT<br>Directors and others that have more direct oversight of IT security. If<br>the CEO's attitude was 'let's have the best security we can afford', and<br>monies made available in a security 'slush fund' to deal with unexpected<br>security issues, the IT Directors would no longer have to say "no" when<br>asked for the next security technology. Yes, it all ultimately comes<br>back to the CEO and the Board of Directors - their attitude about<br>security becomes the Company's attitude about security.<br><br>Cheers,<br>Troy<br><br>Troy D. Casey<br><br>-----Original Message-----<br>From: <a href="mailto:dataloss-bounces@attrition.org">dataloss-bounces@attrition.org</a><br>[<a href="mailto:dataloss-bounces@attrition.org">mailto:dataloss-bounces@attrition.org</a>] On Behalf Of security curmudgeon<br>Sent: Wednesday, April 09, 2008 4:33 AM<br>To: <a href="mailto:dataloss@attrition.org">dataloss@attrition.org</a><br>Subject: [Dataloss] CEOs deserve jail for data breaches<br><br><br><br>---------- Forwarded message ----------<br>From: InfoSec News <<a href="mailto:alerts@infosecnews.org">alerts@infosecnews.org</a>><br><br><a href="http://www.techworld.com/security/news/index.cfm?newsID=11924">http://www.techworld.com/security/news/index.cfm?newsID=11924</a><br><br>By John E. Dunn<br>Techworld<br>08 April 2008<br><br>A growing number of security pros believe that the way to stop data<br>breaches from happening is simple as it is stark - send the CEOs or<br>board members deemed responsible to jail.<br><br>The opinion emerged from a survey by security mainstay Websense at the<br>recent UK e-Crime Congress, which polled 107 security professionals on<br>their opinions. Seventy-nine percent believed that companies should be<br>fined for data breaches . something that does already happen in some<br>cases in the UK . while 59 percent were in favour of compensation for<br>consumers affected by a breach.<br><br>The most striking view of all was that the time had come to punish<br>serious data breaches with jail time for senior staff, with 25 percent<br>rating that as a necessary step. Only three percent were against any<br>form of legally-enforceable punishment.<br><br>[..]<br>_______________________________________________<br>Dataloss Mailing List (dataloss@attrition.org)<br>http://attrition.org/dataloss<br><br>Tenable Network Security offers data leakage and compliance monitoring<br>solutions for large and small networks. Scan your network and monitor<br>your traffic to find the data needing protection before it leaks out!<br>http://www.tenablesecurity.com/products/compliance.shtml<br>_______________________________________________<br>Dataloss Mailing List (dataloss@attrition.org)<br>http://attrition.org/dataloss<br><br>Tenable Network Security offers data leakage and compliance monitoring<br>solutions for large and small networks. Scan your network and monitor your<br>traffic to find the data needing protection before it leaks out!<br>http://www.tenablesecurity.com/products/compliance.shtml<br><br>_______________________________________________<br>Dataloss Mailing List (dataloss@attrition.org)<br>http://attrition.org/dataloss<br><br>Tenable Network Security offers data leakage and compliance monitoring<br>solutions for large and small networks. Scan your network and monitor your<br>traffic to find the data needing protection before it leaks out!<br>http://www.tenablesecurity.com/products/compliance.shtml<br></blockquote></div><br></div></div></body></html>