[Dataloss] CEOs deserve jail for data breaches

Allan Friedman allan_friedman at ksgphd.harvard.edu
Wed Apr 9 13:26:33 UTC 2008


The only reason to advocate this sort of measure is if we have
concrete proof that the personal-punishment type laws are more
effective than the other alternatives that have been discussed on this
list, including *effective* liability models or a shared culture of
openness and communication to prevent future breaches.

Personal criminal charges seem to be the worse of both worlds: strong
incentives not to share any information, and no real attempt to help
those hurt by breaches.

Has anyone seen any good research about the personal-responsibility
rules in SOX?


More information about the Dataloss mailing list